Reverse Engineering Compliance

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 2:20 p.m. (40 minutes)

A big part of reverse engineering is asking "how does this work?" That's usually a step on the way to asking "why does it work that way?" or "how can I make this work for me?" And usually, we reverse machine code. But we can bring the same thinking to other things. We can look at a standard and figure out what it's trying to accomplish. That's useful for moving ourselves and our organizations away from a checkbox mentality to meeting the spirit of the requirement. And it turns out that a standard is also a subset of a threat model: answers to the question "what are we going to do about it?" Exposing that threat model will have all sorts of positive effects. Some of those come from just talking about the threat model, and more come from pushing standards bodies to do the right thing, and show their threat model. In this talk, Adam will show what he thinks makes up the PCI threat model, explain how he reverse engineered it, and talk about how the work exposes a way to replace the compliance mindset with threat informed defense.


Presenters:

  • Adam Shostack - President, Shostack & Associates
    Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the Black Hat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into the Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.

Links:

Similar Presentations: