Application Risk Modeling @ CSI 2007

The CSI 2007 conference held in Arlington, VA from Nov 3-9 2007 was a blast. In addition to the conference session being very educational, it was a great networking event affording one the opportunity to network with the brightest minds in the industry apropos security. You can access the conference posting here.

I presented on Application Risk Modeling as an integral part of the SDLC (System or Software Development Life Cycle) introducing the Tic-Tive^TM Risk Spectrum.

A preview of the presentation contents is given below.

Figure 1. The SecuRisk^TM Methodology of Application Risk Modeling

Figure 2. The Tic-Tive^TM Risk Spectrum. Where does your organization/company fall in this spectrum?

You can download the entire presentation by clicking on the link below.
Application Risk Modeling; An Integral Part of the SDLC – By Mano Paul

Session Abstract -
The methodology introduced in this session is designed to provide proactive risk analysis and modeling techniques for applications. It addresses obstacles experienced by security professionals due to lack of automation and objective risk modeling fundamentals. Attendees will understand how application risk management results in reducing overall risk within an enterprise and transferring risk to the appropriate business segment.

Two Application Security Catalysts – SQL Injection & Cross-site Scripting (XSS) @ Burton Group Catalyst EU 2007

Two of the most prevalent application attacks in this day and age are SQL Injection and Cross-Site Scripting (XSS). Perimeter defense devices such as intrusion detection systems (IDS) and firewalls offer no protection against such attacks. The risk of sensitive information theft, alteration, insertion of data along with other effects such as URL redirection, website defacement and authentication theft are high and will be demonstrated. This session would demonstrate the effects of SQL Injection and XSS attacks and provide insight into the control measures to successful mitigate the risk against such attacks. It will also provide insight into the different process control measures that are necessary across the systems development life cycle to harden the code from within, so that such susceptibilities are addressed. Session takeaways include a complete understanding of the anatomy of SQL Injection and XSS attack, their effects when exploited and the mitigation control measures to stop SQL Injection and cross over XSS.