Finding Security Defects through Threat Modeling
Wednesday, 5:00 PM PDT - PACIFIC BEACH
When talking about finding security defects we first think of security testing and static analysis of the code. Although, penetration testing and secure code review can uncover many types of security issues in an application, there are gaps that simply cannot be found with these traditional analysis techniques. The interactions between the different systems are beyond the code review level and the complex interconnections are often not reachable from the penetration tester’s point of view. Discovering weaknesses in the design of a system is the specific goal of threat modeling. Organizations benefit from this software design analysis because they can perform it without code to discover potential vulnerabilities early in the development cycle.
This talk will describe one of the popular threat modeling methodologies and follow its process of identifying the assets, security controls, and threat agents for a given system, and then creating a prioritized list of attacks. Security analysts together with system architects can then propose appropriate mitigations to be implemented by the team.
About Ksenia Dmitrieva
Ksenia Dmitrieva-Peguero is a Principal Consultant at Cigital with over six years of experience in securing web applications and five years of development experience. She performs penetration testing and code review for clients in financial services, entertainment, telecommunications, energy, and enterprise security industries. Her current concentration is on researching HTML5 technologies and new JavaScript frameworks, their security implications, vulnerability discovery and remediation. Ms. Dmitrieva-Peguero has delivered presentations and training sessions at conferences around the world, including BSides Security in London, Nullcon in India, AppSec California in the USA, RSA Asia Pacific & Japan in Singapore, AppSec Europe in Italy, and several NFJS shows.
More About Ksenia »