9 au 11 mars 2011
Montréal, Canada
Threat Modeling: detecting threats before coding
Participants who attended the Confoo 2010 security track learned several activities for reducing risks in web applications.
This talk entirely focuses on threat analysis & modeling (TAM) for developers and architects. TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet.
If conducted correctly, TAM can be highly cost-effective as all changes in the project are applied before the coding phase.
Participants will learn the basics of TAM:
- Understanding major threats in web applications
- Drawing data-flow-diagrams the fast and efficient way
- Locating critical assets in the application, and their security requirements
- Identifying threats and appropriate countermeasures
- Modifying the project design and specifications accordingly
The talk is "hands-on": participants will be working on a model based on a famous multi-million users web application.
This talk entirely focuses on threat analysis & modeling (TAM) for developers and architects. TAM is a security activity conducted early in the development lifecycle, when we only have ideas, early design specifications and no source code is produced yet.
If conducted correctly, TAM can be highly cost-effective as all changes in the project are applied before the coding phase.
Participants will learn the basics of TAM:
- Understanding major threats in web applications
- Drawing data-flow-diagrams the fast and efficient way
- Locating critical assets in the application, and their security requirements
- Identifying threats and appropriate countermeasures
- Modifying the project design and specifications accordingly
The talk is "hands-on": participants will be working on a model based on a famous multi-million users web application.
Antonio Fontes
OWASP Switzerland
Antonio Fontes has over ten years experience in the software and information security industry. He is an active member of the OWASP Switzerland board and has contributed to several open projects such as the "CWE Top 25 most dangerous programming errors." His day job involves assisting both public and private organizations in increasing security visibility and control over their software, such as with dev training, threat modeling, design review, code reviews, penetration testing, etc.
Montréal 2011 sponsored by
