Threat Modeling and Security Test Planning

Presented at HOPE X (2014), July 19, 2014, 11 a.m. (60 minutes).

How do I figure out if the application I've designed is secure? What do I need to test? When do I need to start thinking about security? How does what an application is designed to do affect how it's tested? How do high-level security goals relate to protocol bugs? How do I know when I need specialist review? How do I figure out if my users will be able to use my application securely? If you've found yourself asking questions like these or if you're just realizing that maybe you should be asking them, this talk will give you tools to work with. The work that a security analyst does can be opaque, but understanding it will save you time and help you build a more secure application. This talk will cover threat modeling (both on its own and as a driver of high-level test planning), when and which kinds of low-level tests you should be including, with special attention paid to parser/protocol bugs. Examples will be shown from both the commercial space and the world of software designed for high-risk users, with specific focus on some of the particular challenges of the latter arena.


Presenters:

  • Eleanor Saitta
    Eleanor Saitta is a hacker, designer, artist, writer, and barbarian. She makes a living and a vocation of understanding how complex, transdisciplinary systems operate and redesigning them to work, or at least fail, better. Among other things, she is a cofounder of the Trike project (http://octotrike.org), technical director at the International Modern Media Institute (http://immi.is), a member of the advisory boards at the Freedom of the Press Foundation (https://pressfreedomfoundation.org) and Geeks Without Bounds (http://gwob.org), a contributor to the Briar project (http://briar.sf.net), and a freelance security architecture and strategy consultant. She is nomadic and lives mostly in airports and occasionally in New York, London, and Stockholm. She can be found at http://dymaxion.org.

Links:

Similar Presentations: