Process for Attack Simulation & Threat Analysis is an asset centric (or risk based) threat modeling methodology that connects the security dots within a given SDLC, those dots being how to discover vulns, attack them, apply the right countermeasures and more. Today’s application assessment options are both misunderstood and misapplied when assessing web applications or any application environment. Often times, traditional security tools and testing methods seem to compete with one another instead of supporting a common goal, especially when trying foster a’ build security in’ doctrine. This concept of building security in has been spoken of for some time and no real traction has taken place amongst various adopters, even with the information and support around frameworks such as the Software Assurance Maturity Model (SAMM) and Building Security-In Maturity Model (BSIMM), adoption is slower than anticipated.
The outlined process will provide a way in which BSIMM or SAMM can be sustained, via an anchored and repeatable threat modeling process. Audience members will be introduced the P.A.S.T.A process, go through key exercises that related to application decomposition including but not limited to data flow diagramming, attack tree build outs, and countermeasure development.
In the realm of application security, Tony is a threat modeling evangelist and has provided numerous talks domestically and globally on its many benefits and application. He has served as a guest mentor to teams participating in Kennesaw State University’s annual Cybercrime capture the flag event as well as a Cybercrime speaker for Southern Polytechnic University in Atlanta (2009). He has also served as a guest speaker on the subject of application threat modeling during ISACA’s annual Geek Week event and has also served as a keynote speaker on the subject for ISACA’s Global Symposium web cast series. Additional articles include articles related to CoBIT and the ValIT model (ISACA’s Journal), application threat modeling within the SDLC (InSecureMagazine), and security process engineering for a ROSI (return on security investment) (Journal of Finance). He’s currently finalizing a book with Wiley Life Sciences on the Process for Attack Simulation and Threat Analysis due out in 2012. Tony current leads an Atlanta based security consulting firm that provides a hybrid approach to InfoSec by maintaining strong duality and expertise across both AppSec and GRC. He has consulted numerous global Fortune 500s organizations in both the private and public sector across a myriad of security disciplines ranging from security architecture and design to secure application development.
Tony currently leads the OWASP Atlanta Chapter, where he manages monthly workshops and events for the Atlanta web application security community. He is also serves on the OWASP Global Membership Board and regularly provides talks to other chapters nationwide, primarily on the topic of application threat modeling.