We would like to invite you to a special mid-week event being hosted by us during the RSA San Francisco conference on Wednesday 6th March: Threat modeling brunch with IriusRisk.
We’ve booked the fabulous setting of a local museum within easy walking distance of the main conference and are excited that four stellar guests (Adam Shostack, Brook Schoenfield, Tanya Janca, Jim Manico) from the world of threat modeling and application security will be giving talks and having a lively panel discussion.
The event is free but places are limited so if you’re reading this and want to attend, hop over to evenbrite and book your place now.
Both Stephen De Vries and Stuart Winter-Tear from Continuum will be in attendance as well as available for networking and meetings from Tuesday 5th – Thursday 7th March so please feel free to schedule a meeting with us in advance.
Look forward to seeing you!
10:00 – 10:10 Introduction by Stephen De Vries
10:10 – 10:55 Keynote by Adam Shostack
“A Seat at the Table”
Abstract: Threat modeling is not just a fundamental security practice — it can change your security culture. The agile, cloud, and devops have transformed technology, and all too often, left security wondering what our role is in the new world. Effective collaboration requires new skills, new approaches, and a new speed. We’ll look at all three, how security can collaborate, how we can engage before a line of code has been written, and how we can benefit from the directions the world is going.
10:55 – 11:40 Jim Manico
“Application Security: Things are getting better”
Abstract: Application Security began in the early 60’s where plaintext password storage, no password policy, poor access control and other massive security problems were the norm. This talk with review the history of application security to help illustrate not just how much application security has gotten better, but also how the rate of positive change has been getting better as well. This fun ride through the history of application security is meant to inspire those who work in the industry. We are often looking closely at failure and insecurity, but when we step back and look at our industry historically, we can all see just how much things truly are getting better.
11:40 – 12:25 Brook Schoenfield
Title “Do Automation and Threat Modeling Play Well Together?”
Abstract: Threat modeling has been and continues to be largely a manual, expert-driven analysis technique. Increasingly, organizations have mandated threat modeling, though experienced threat modelers tend to be in short supply, scaling a secure design practice has proven tricky at best, difficult, even near intractable sometimes. So, the automation wolves have been chewing at threat modeling’s manual heels. Do situations exist where automation’s promise can be applied to expert-centric security practice? Are there times when expert analysis should definitely be brought to bear? If so, can one sufficiently define the expert-required vs automatable? What areas in threat modeling have toolmakers chosen to address? Have any of these been successful, at scale? What does it take to scale threat modeling? 1000 expert security architects? That would surely be a non-starter for most organizations, maybe all. This talk will address all of these questions with a survey of the automation that’s currently available, the situations to which automation applies well, and those that will continue to call for experts into the foreseeable future. Join author and passionate threat modeling teacher, Brook S.E. Schoenfield as he shares from his experiences building and sustaining secure design practices.
12:25 – 13:15 Tanya Janca
“Pushing left like a Boss”
Abstract: With incident response and penetration testing currently receiving most of our application security dollars, it would appear that industry has decided to treat the symptom instead of the disease. “Pushing left” refers to starting security earlier in the SDLC; addressing the problem throughout the process. From scanning your code with a vulnerability scanner to red team exercises, developer education programs and bug bounties, this talk will show you how to ‘push left’, like a boss.
About the Speakers
Stephen De Vries:
Stephen is our co-founder and CEO. He started his career as a C, C++ and Java developer, moving into security operations and then software security. He’s an active contributor to a number of OWASP projects and has helped FTSE 100 companies to build security into their development processes through threat modeling and integrated security testing. Stephen enjoys tinkering with renewable, off-grid energy systems and writing code.
Contact twitter: @stephendv
Stuart is Information Security obsessed and worked as a consultant for many years. As an InfoSec “generalist” there is not much he has not been called upon to deal with, ranging from designing & building secure networks through to testing security for business, health sector & critical infrastructure. Nowadays Stuart focuses on threat modelling, secure design & security in DevOps with Continuum Security.
Contact Twitter: @stegopax
Adam is a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups including as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the “Elevation of Privilege” game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.
Contact Twitter: @adamshostack
Contact: Web: https://adam.shostack.org/
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for Signal Sciences and BitDiscovery. Jim is a frequent speaker on secure software practices, is a member of the JavaOne rockstar speaker and Java Champion community and is the author of “Iron-Clad Java: Building Secure Web Applications” from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation.
Contact: Twitter: @manicode
Brook S.E. Schoenfield is the Author of Securing Systems: Applied Security Architecture and Threat Models (CRC Press, 2015). He provides technical leadership for IOActive’s holistic security architecture services. Previously, he led product security architecture at McAfee, Autodesk, Cisco Engineering, and Web and Application security for Cisco Infosec. He is a founding member of IEEE’s Center for Secure Design and is a featured Security Architect at the Bletchley Park Museum of Computing. He is the originator of Baseline Application Vulnerability Assessment (BAVA), Just Good Enough Risk Rating (JGERR), Architecture, Threats, Attack Surfaces and Mitigations (ATASM) and developer-centric security. He contributed to Core Software Security (CRC Press, 2014), and co-authored Avoiding the Top 10 Security Design Flaws (IEEE, 2014) and Tactical Threat Modeling (SAFECode, 2017).
Contact Twitter: @BrkSchoenfield
Tanya Janca is a senior cloud advocate for Microsoft, specializing in application and cloud security; evangelizing software security and advocating for developers and operations folks alike through public speaking, her open source project OWASP DevSlop, and various forms of teaching via workshops, blogs and community events. As an ethical hacker, OWASP Project and Chapter Leader, Women in Security and Technology (WIST) chapter leader, software developer and professional computer geek of 20+ years, she is a person who is truly fascinated by the ‘science’ of computer science.
Contact Twitter: @SheHacksPurple