OWASP Global AppSec US 2021 has ended
Back To Schedule
Thursday, November 11 • 11:00am - 12:00pm
Practical Threat Modeling for real-world and Cloud Situations in our hybrid and WFH World

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
In 2020, much of the world shifted to Work from Home (WFH) and now another shift in 2021 is hybrid work. This extends cybersecurity into the home and means that there are more vulnerable points as organizations shift to work though different configurations for the variety of work structures that now exist. While these shifts occur, vulnerabilities and risks are still present. Many of the attacks that have occurred impact multiple organizations, supply-chains, and are international - to name a few: Kaysea, SolarWinds/SunBurst, JBS Meatpacking, let alone the weaknesses from Pegasus and PrintNightmare. All of these attacks and vulnerabilities may make it seem like it is impossible to move forward. However, now more than ever being proactive is imperative. Hence, the importance of threat modeling. Focusing on risk analysis to contextualize the threat and applying controls based on risk should be part of any DevSecOps cycle. The process of shifting security left into the SDLC is paramount now more than ever, especially when attack surfaces increase regularly with more options for network connections and WFH models. This session will cover how to threat model with four stages: Create the model, identify the threats, address the threats, and validate the model. A fifth step once the modeling is done can also be added, which is to communicate out the findings. During the create the model phase, scope setting and scope creep will be discussed. During stage 2 - identify the threats - tools and methodologies will be discussed. For stage 3 an understanding of current systems and practices is essential as this stage will address the threats. Finally, during stage four there is a reflection regarding what was measured. Asking “Were the right components covered?” and having an audit system is crucial towards making effective decisions. After the threat modeling has finished, communicating out to the essential team members is necessary. Overall, realistic scenarios will be used with an emphasis on cloud security with configurations, shifting to the cloud, or being cloud native. These technical examples will be paired with real-world examples to begin the threat modeling conversation in an explainable method. Attendees will leave with tools for being able to model, practice with threat modeling, and suggestions for shifting security left in order to have it be earlier in the software development lifecycle. This session will focus on a high level discussion about threat modeling to shrink the attack surface, improve cyber posture, and decrease risk. Then there will be specifics regarding the four stages of threat modeling. Some vulnerabilities explored will be from the OWASP top ten and will be shown using the DVWA as well as using a virtual private cloud set-up for testing purposes.

avatar for Uma Rajagopal

Uma Rajagopal

For more than two decades, I’ve worked across multiple industries to become the cybersecurity leader that I am now. Before I came to Amazon, I served as Information Security Officer at Capital One, where I helped transform our cyber program and improved our response preparedness... Read More →
avatar for Meghan Jacquot

Meghan Jacquot

Cyber Threat Intel Analyst, Recorded Future
Meghan Jacquot is a Cyber Threat Intel Analyst with Recorded Future and is a curious lifelong learner with a commitment to sharing what she has learned. She is a Cybersecurity Specialist and is passionate about helping others, speaking at conferences to increase cyber awareness, and... Read More →

Thursday November 11, 2021 11:00am - 12:00pm PST