Threat Modeling – Locking the Door on Vulnerabilities
Did you lock the door before leaving your house this morning? If you did, you threat modeled without even realizing it. Threat modeling is identifying potential threats (house robbery) and implementing measures to mitigate the risk (locking your door).
Protecting valuable assets, no matter if personal assets or business-related assets such as the software you are developing, threat modeling should become an instinctual and necessary part of your process.
Our talk highlights how nearly 50% of security flaws can be mitigated through threat modeling. We help you prevent and mitigate risks by utilizing a reliable and hard-hitting analysis technique that can be applied to individual applications or across an entire portfolio. We show you how to effectively apply these techniques at the start of the design phase and throughout every phase of the development lifecycle so you can maximize the ROI of your security efforts.
Topics covered include:
• Threat Modeling 101
• The propagating effect of poor design
• Tabletop exercise – a world with and without threat modeling
• Best practices and metrics for every stakeholder
RecordedMay 9 201863 mins
Your place is confirmed, we'll send you email reminders
The proliferation and complexity of software-enabled systems have amplified risk for many organizations. Conventional approaches to software security don’t work, typically encompassing no more running vulnerability scanning. Executives need a better way to understand which products, systems, and teams are putting their enterprise at most risk – and deploy appropriate action plans.
SToRM represents a new approach for enterprises to more effectively assess and protect software-dependent IT systems. Change your approach – evolve from a vulnerability focused approached to risk-based one. Learn pragmatic steps to ensure you’re mitigating the most risk with limited resources, time, and budget.
• Why traditional approaches aren’t working
• How to identify risks at the business workflow and IT system levels
• Techniques to calibrate assessment and mitigation efforts
Unique to the industry, CMD+CTRL are interactive cyber ranges where staff compete to find vulnerabilities in business applications in real-time – learning quickly, that attack and defense are about thinking on your feet, creativity and adaptability. Every two weeks, we will offer the opportunity to test drive CMD+CTRL for 24 hours. We'll open up our CMD+CTRL to anyone to participate, score points, and see how they do. We will start with a 30 minute live demo to go over the features and functionality of CMD+CTRL, Q&A, and provide the login URL and credentials for your free 24 hour access and you can begin testing your skills immediately. Sign up to test drive CMD+CTRL!
Regulatory compliance mandates have historically focused on IT & endpoint security as the primary means to protect data. However, as our digital economy has increasingly become software dependent, standards bodies have dutifully added requirements as they relate to development and deployment practices. Enterprise applications and cloud-based services constantly store and transmit data; yet, they are often difficult to understand and assess for compliance.
This webcast will present a practical approach towards mapping application security practices to common compliance frameworks. It will discuss how to define and enact a secure, repeatable software development lifecycle (SDLC) and highlight activities that can be leveraged across multiple compliance controls. Topics include:
* Consolidating security and compliance controls
* Creating application security standards for development and operations teams
* Identifying and remediating gaps between current practices and industry accepted "best practices”
Joe Basirico, VP of Services at Security Innovation
Welcome to the lighter side of the software security world!
We’ll explain complex topics like injection flaws, configuration errors, and parameter tampering with real-world analogies, like breaking into your house through your shed, or sneaking into a Coldplay concert using a reflective yellow vest, a walkie talkie toy, and your bravado. If you’ve ever struggled to remember exactly how these issues work or struggled to explain them to someone outside of the security field, this presentation will help (and probably make you laugh).
Joe Basirico, VP of Services at Security Innovation
Software runs today’s business; however, security implications are often misunderstood, creating significant organizational risk. Poorly configured servers, 3rd-party software, and continuous release cycles put additional pressure on already stressed teams.
Hackers no longer just exploit vulnerabilities in code -- faulty cloud deployments, weak database structures, and business logic problems are also easy targets for attackers. To reduce risk, you’ve got to audit your system in the same way an attacker would.
This presentation demonstrates how attackers compromise the modern enterprise. For each attack demonstrated, mitigation practices will be discussed. WARNING: software will be harmed during this presentation. Viewer discretion advised.
- The modern technology stack
- Easy pickings – hacking demonstrations!!
- Auditing software-based systems:
o Standards and policies
o System updates and patching
o Data leakage/exfiltration
o Identity & access management
o System logs and tracking
o Tamper protections and detection
o Authentication and access controls
Information systems in the digital age are complex and expansive, with attack vectors coming in from every angle. This makes analyzing risk challenging, but more critical than ever.
Attend this webcast to better understand the dynamics of modern IT systems, security controls that protect them, and best practices for adherence to today’s GRC requirements.
· Threats, vulnerabilities, weaknesses – why their difference matters
· How vulnerability scanning can help (and hinder) your efforts
· Security engineering and the system development lifecycle
· High impact activities - application risk rating and threat modeling
Joe Basirico, SVP of Engineering at Security Innovation
The cloud is a cost-effective way to provide maximum accessibility for your customers. However, organizations often fail to optimize and configure it properly for their environment, leaving them inadvertently exposed.
Attend this webcast to learn proven techniques that reduce cloud risk, including:
• Building applications to leverage automation and built-in cloud controls
• Securing access control and key management
• Ensuring essential services are running, reachable, and securely hardened
Lisa Parcella, VP of Product and Marketing and Elizabeth Xu, CMD+CTRL Product Manager
After running 300+ customer, community and industry events, Security Innovation has received some great feedback to further enhance our award-winning CMD+CTRL Cyber Range. We’ve taken that feedback and made some major improvements to our newly released CMD+CTRL user interface.
In this live webinar, we will unveil the new and improved CMD+CTRL platform, showcasing how it provides players with an improved learning environment, and administrators now have maximum control over in-house events.
The new CMD+CTRL experience includes:
* Enhanced Gamification Experience
* Seamless Event Switching
* Dedicated Player Report Card
* Admin All-in-One mode
* Instant Event Setup
* Event Specific Dashboards
Join us for a first look at all of the new features our CMD+CTRL Cyber Range has to offer.
IoT Systems provide powerful, flexible features for IT systems — tracking, monitoring, and other data sharing. Today’s IoT devices utilize microservices and APIs that make them easy to put into production. But securing them isn’t as easy.
This webinar will look at security risks of IoT devices, interfaces, and implementations. We’ll provide practical steps and checklists any DevOps team can use to make their IoT components as secure as possible. We’ll also cover some testing best practices that can be done pre- and post-production to verify security and resilience on an ongoing basis.
About the Speaker
Ed Adams is a software quality and security expert with over 20 years of experience in the field. He served as a member of the Security Innovation Board of Directors since its inception in 2002 and took over as CEO in 2003. Ed is a Research Fellow at The Ponemon Institute, serves on the board of several IT security organizations, and was named a Privacy by Design Ambassador by the Information and Privacy Commissioner of Canada.
Lisa Parcella, VP of Product and Marketing and Brandon Cooper, Cyber Range Support Specialist
Finding security experts is hard, but training emerging experts is becoming easier! Security Innovation’s CMD+CTRL Cyber Ranges feature intentionally vulnerable web and mobile applications that teach teams how applications are attacked by actively exploiting them, creating higher engagement and retention.
The CMD+CTRL Cyber Range suite includes several banking websites - you may have heard of ShadowBank, the original and most popular cyber range - as well as a back-office HR application, social media app , mobile fitness tracker app and our newest edition, LetSee!
LetSee is an online marketplace that lets users shop and sell a variety of hand-made and vintage goods. LetSee is also our first Single Page App (SPA) with a heavy focus on API vulnerabilities.
Come see LetSee along with our entire Cyber Range suite and get 24 hour access post-webinar to test your hacking skills with our newest application!
In order to address the widening security skills gap, organizations are beginning to investigate non traditional methods for identifying, training, improving and retaining talent.
Among the methods being adopted are more immersive experiences that focus on teaching team members how to think and act like an attacker. This approach supplements the traditional engineering “find the bug, fix the bug” focus and enables a much wider pool of talent to become aware, educated and improved.
This talk will provide an introduction to simulation environments like Cyber Ranges, differentiate them from gamification systems, and discuss the emerging delivery, adoption and organizational lessons learned that are driving further adoption. Additionally, information will be available to anyone who wants to try a Cyber Range at the end of the session!
Dr. Larry Ponemon of the Ponemon Institute and Ed Adams of Security Innovation
Millions of cars with tens of millions of lines of code are already talking to servers and each other. According to the Ponemon Research Institute, 63% of manufacturers test less than half of the technologies in your car for vulnerabilities and only 33% train developers on secure coding methods.
However, there is a new IT system going into cars that was built with security and privacy by design. This “Talking Cars” safety of life program, which is estimated to save 10,000 lives per year, is one of the few automotive technologies that is secure and private for drivers.
This webinar discusses the trade-off between safety, privacy, and convenience. It will also examine the 10-year Privacy by Design system used in “Talking Cars” and how other technology projects can benefit from similar due diligence.
• Connected cars – threats and attack surface
• Review of the most current research on automotive IT security and privacy
• Blueprint for excellence: Security & Privacy in the “Talking Cars” program
Though basic knowledge of cybersecurity and privacy is helpful, this webinar is for anyone who wants to better understand connected car technology and how to design resilient IT systems. The speakers, Dr. Larry Ponemon and Ed Adams, are experts in their field and deliver this information-rich webinar.
Mick Ayzenberg, Sr. Security Engineer and Blockchain Center of Excellence Lead
Blockchain is a promising technology getting a lot of attention these days; however, organizations aren’t entirely sure how it might improve business operations, what the risk implications are, and the security savviness needed to implement securely.
This webcast will address the most pressing issues and misconceptions surrounding Blockchain today, including:
• What is Blockchain?
• What are the new technologies I need to understand?
• Use Cases: where is Blockchain most advantageous?
• Snooze Cases: where/when is Blockchain a bad idea?
• What are the most common pitfalls with Blockchain?
Kevin Poniatowski, Principal Security Engineer and Trainer
Software runs our world — the cars we drive, the phones we use, the websites we browse, the entertainment we consume. In every instance privacy risks abound. How do software development teams design and build software to ensure privacy data is protected?
Attend this webcast to learn practical tips to build software applications that protect privacy data. Understand the requirements of new laws such as GDPR and the impact they have on software development.
• Designing for Privacy: least privilege and compartmentalization
• Creating privacy impact rating
• Implementing application privacy controls
• Techniques for effective privacy testing
Kevin Poniatowski, Sr. Security Engineer and Trainer
From executives to software developers and database administrators, each role plays an important part in protecting privacy data. But what does an effective privacy program look like for the teams that build and operate the software applications that powers your enterprise?
This webcast will describe how to build powerful policies that can be easily understood and implemented in today’s continuous delivery and DevOps approaches.
Privacy Concerns for Software Applications
Threats, Regulations, and Laws
Privacy Engineering Principles
Data Collection, Retention, and Consent
This Webcast is ideal for policy makers, program leads, compliance managers, and privacy officers. Development and IT Operations teams will also gain valuable insight into how to protect data throughout the entire application lifecycle.
Kevin Poniatowski, Principal Security Instructor, Security Innovation
Privacy has overtaken security as a top concern for many organizations. New laws such as GDPR come with steep fines and stringent rules, and more are certainly to come. Attend this webcast to learn how everyday business operations put customer privacy data at risk. More importantly understand best practices on protecting this data and dealing with disclosure requirements. Topics include:
* Types of privacy and threats to them
* How is privacy different than security?
* Business systems putting you most at risk
Ed Adams, CEO and Roman Garber, Development & Security Manager
DevOps continues to be a buzzword in the software development and operations world, but is it really a paradigm shift? It depends on what lens you view it through.
Roman Garber, an active software security engineering and software team lead thinks so. Ed Adams, Security Innovation CEO, a 20-year software quality veteran and former mechanical engineer, curmudgeonly disagrees.
Watch our on-demand session to decide which side of the fence you're on.
A widely-used but little known technology has created a vulnerable “Side Door” to thousands of financial institutions in North America. This discovery started with a simple question: why does my bank require multi-factor authentication (MFA), but Quicken does not? This led to an exploration of the 20-year old Open Financial Exchange (OFX) protocol and the 3000+ North American banks that support it. The conclusion: 80% of banks supporting OFX have no MFA support, putting consumers at risk by exposing login credentials.
This presentation provides a summary of our research. It also describes how organizations can assess and mitigate enterprise risk posed by OFX. Topics include:
· Open Financial Exchange (OFX) protocol — how it works and where it’s vulnerable
· Research findings — OFX security vulnerabilities that create enterprise and consumer risk
· Compliance implications - using a known vulnerable component creates headaches
· Assessment techniques — commercial scanning tools don’t work with OFX. Learn how to assess this risk quickly
·Mitigation techniques — compensating controls that reduce exposure while using the OFX protocol
Data breaches happen all the time, but that only happens to large enterprises, right? What about me? How can you alter behaviors to better protect yourself and your family from personal attacks, phishing scams and the like?
In this webinar, geared to everyday users, we will show you how to easily and quickly protect yourself from the breaches that lurk all around us:
•The What and How Behind Your Personal Threat Model
•Quick and Easy Steps for Password Protection and Two Factor Authentication
•Everyone’s Watching: How to Manage Your Online Privacy While Remaining Social
Join cybersecurity expert, Roman Garber, from Security Innovation for an inside look into protecting your and your families’ personal assets so you won’t become a victim of online threats and breaches.
Ed Adams, CEO of Security Innovation and Holger Schulze, CEO of Cybersecurity Insiders
Despite software being the primary target of attacks, organizations still fall woefully short with even basic security hygiene:
53% lack significant resources to detect and remediate application vulnerabilities
42% blame "rushing to release” for not establishing secure coding procedures
Limited budgets, low-security awareness, and lack of skilled personnel compound problems.
Join cybersecurity experts from Security Innovation and Cybersecurity Insiders as they explore the current security landscape and present actionable measures for integrating best practices into your software development process that will help slash enterprise risk.
You will learn:
- How your organization stacks-up in comparison to your peers
- Top challenges and roadblocks to effectively protect your applications
- Best practices to improve your security posture
In today's connected world, software runs everything - from smart phones to banking applications, cars to home security systems, even refrigerators, garage doors and other every day devices are "connected." Software is everywhere – and unfortunately, it provides the largest attack surface for hackers. We are a cybersecurity company leveraging our deep knowledge of software security to create relevant products and services.