Security Engineering for Machine Learning by Gary McGraw, Ph.D.

Monday November 23rd - Check out the streaming feed!

Abstract:

Machine Learning appears to have made impressive progress on many tasks including image classification, machine translation, autonomous vehicle control, playing complex games including chess, Go, and Atari video games, and more.
This has led to much breathless popular press coverage of Artificial Intelligence, and has elevated deep learning to an almost magical status in the eyes of the public.
ML, especially of the deep learning sort, is not magic, however.
ML has become so popular that its application, though often poorly understood and partially motivated by hype, is exploding. In my view, this is not necessarily a good thing. I am concerned with the systematic risk invoked by adopting ML in a haphazard fashion. Our research at the Berryville Institute of Machine Learning (BIIML) is focused on understanding and categorizing security engineering risks introduced by ML at the design level.
Though the idea of addressing security risk in ML is not a new one, most previous work has focused on either particular attacks against running ML systems (a kind of dynamic analysis) or on operational security issues surrounding ML.
This talk focuses on two threads: building a taxonomy of known attacks on ML and the results of an architectural risk analysis (sometimes called a threat model) of ML systems in general.
A list of the top five (of 78 known) ML security risks will be presented.

Bio:

Gary McGraw is co-founder of the Berryville Institute of Machine Learning. He is a globally recognized authority on software security and the author of eight best selling books on this topic. His titles include Software Security, Exploiting Software, Building Secure Software, Java Security, Exploiting Online Games, and 6 other books; and he is editor of the Addison-Wesley Software Security series. Dr. McGraw has also written over 100 peer-reviewed scientific publications. Gary serves on the Advisory Boards of Code DX, Maxmyinterest, Runsafe Security, and Secure Code Warrior. He has also served as a Board member of Cigital and Codiscope (acquired by Synopsys) and as Advisor to Black Duck (acquired by Synopsys), Dasient (acquired by Twitter), Fortify Software (acquired by HP), and Invotas (acquired by FireEye). Gary produced the monthly Silver Bullet Security Podcast for IEEE Security & Privacy magazine for thirteen years. His dual PhD is in Cognitive Science and Computer Science from Indiana University where he serves on the Dean’s Advisory Council for the Luddy School of Informatics, Computing, and Engineering.
https://garymcgraw.com | https://berryvilleiml.com | @cigitalgem

Continuous Threat Modeling for Development Teams by Izar Tarandach

Tuesday November 24th - Check out the streaming feed!

Abstract:

The recent increase in popularity of Threat Modeling has repeatedly pointed at the necessity for threat modeling methodologies that work in an agile environment where design changes with implementation and emerging constraints. CTM (Continuous Threat Modeling) is a methodology proposing to help development teams close this gap.

Bio:

Izar Tarandach is a Sr. Security Architect in a leading financial institution. Before that he was Lead Product Security Architect at Autodesk inc., Security Architect for Enterprise Hybrid Cloud at Dell EMC, Security Consultant at the EMC Product Security Office. He is a core contributor to SAFECode and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon. Izar recently published Threat Modeling, a practical guide for development teams (O’Reilly, 2020) together with Threat Modeling.

A threat modelling experience by Brook S.E. Schoenfield

Tuesday November 24th - Check out the streaming feed!

Abstract:

Unfortunately, there are many misconceptions about threat modelling. Particularly, threat modelling is too often performed exactly once after what is to be implemented has been decided, that is, after the “architecture” or “design” is finished. We’ve learned that threat modelling must integrate organically with development practices, whatever those may be, if the analysis is to be effective. But, is “agile threat modelling” even possible, given this widely held view that a threat model is a point-in-time activity, perhaps executed by security specialists who are not a part of an Agile team?
This talk will answer these questions definitively, based on decades of experience with thousands of developers. In addition, the talk will cover what we may expect to gain from a threat model, how the threat model adds unique value to software development that is difficult to achieve through other means. We will also survey the role of automation for threat modelling at today’s state of the art.

Bio:

Brook S.E. Schoenfield is the author of Secrets Of A cyber Security Architect (Auerbach, 2019) and Securing Systems: Applied Security Architecture and Threat Models (CRC Press, 2015). He provides holistic, technical leadership for his clients’ security architecture services. Previously, he led software security services at IOActive, product security architecture at McAfee and Cisco Engineering, was Autodesk’s Enterprise Security Architect, and lead Web and Application security for Cisco Infosec. He is a founding member of IEEE’s Center for Secure Design and is a featured Security Architect at the Bletchley Park Museum of Computing. He is the originator of Baseline Application Vulnerability Assessment (BAVA), Just Good Enough Risk Rating (JGERR), Architecture, Threats, Attack Surfaces and Mitigations (ATASM) and developer-centric security. He contributed to Core Software Security (CRC Press, 2014), and co-authored Avoiding the Top 10 Security Design Flaws (IEEE, 2014) and Tactical Threat Modeling (SAFECode, 2017). Building In Security At Agile Speed is expected early 2021 (CRC Press, co-authored with James Ransome).

Panel talk: Agile Threat Modeling by Izar Tarandach and Brook S.E. Schoenfield

Tuesday November 24th - Check out the streaming feed!

Abstract:

During this session we have 2 renowned threat modeling authors: Izar Tarandach and Brook Schoenfield, discussing how to combine threat modeling with agile development.
Threat modeling is a risk-based approach to designing secure systems. It is based on identifying threats in order to develop mitigations to them.
In software development, agile practices approach discovering requirements and developing solutions through the collaborative effort of self-organizing and cross-functional teams and their end users. How can threat modeling as a practice be embedded in agile development will be the main theme of this session.
Brook and Izar will first set the stage by presenting respectively:
- Where does threat modelling fit within software security (an SDL)?
- Threat modeling for Agile teams?
Followed by a panel discussion moderated by Sebastien Deleersnyder, Toreon.

What is the OWASP DevSlop Project? by Nicole Becher and Nancy Gariché

Wednesday November 25th - Check out the streaming feed!

Abstract:

As the DevSlop project continues to evolve, we are evolving with it.
Learn more about the origins of this project from its OWASP Broken Web Apps (BWA) days to where it is now, which is a learning and teaching platform for the ever-growing DevSecOps tooling, ideas and practices.

Bio:

Nicole Becher is currently Director of Information Security & Risk Management for S&P Global Platts. She has been in the cybersecurity space for over ten years working mostly in offensive security capacities leading penetration testers, red teams, forensics and incident responders. She also worked on cyber/regulatory policy for New York State Department of Financial Services, where she helped draft the first-in-nation regulatory framework for assessing the cybersecurity of large and complex financial institutions and regulatory framework for bitcoin and virtual currency companies. Nicole is also an Adjunct Instructor at New York University, where she teaches courses on computer security. She is a co-project leader for OWASP DevSlop Project (Open Web Application Security Project). Nicole has presented both talks and training, at various conferences around the world on topics related to her research interests. She is a Cybersecurity fellow of New America, a Washington DC-based think-tank, and is a fellow of the Madison Policy Forum, a cybersecurity-focused policy group bridging military, government and industry. She is a Certified Information Systems Security Professional (CISSP). Nicole is a member of the Conservation Technology SMART Security Council and is very active in wildlife conservation technology and animal rescue.

Nancy Gariché: In the early 2000s, Nancy joined the Canadian federal government as a computer science CO-OP student and never left. In 2009, she moved to Ottawa from Montreal, her beloved hometown, to land her first IT security job as a security analyst. This multi-hatted role gave her the opportunity to take on duties in multiple disciplines ranging from incident handling, to project and risk management. Involved in her local infosec community, she aspires to welcome and empower a new generation of industry professionals into the workforce. She is currently leading her federal Department’s Security Assessment and Authorization Program and she is the founder of BDB Skills, a community that helps cybersecurity professionals and enthusiasts obtain the skills and certifications required to kickstart or level up their career. Nancy is also the co-leader of the Ottawa Chapter of the Open Web Application Security Project (OWASP) and of the OWASP DevSlop project.

Gamification of Agile Threat Modelling Using OWASP Cornucopia by Grant Ongers

Wednesday November 25th - Check out the streaming feed!

Abstract:

Traditional threat modelling could be described as problematic and time consuming, so does the practice serve a purpose in the world where DevOps is a thing, and if so, how? Can you get the right balance of rigour and agility from traditional threat modelling tools and what options does gamification bring to the table?
We will look at an OWASP project I've found to be very useful in getting value out of threat modelling in the agile world of rapid delivery: Cornucopia.

Bio:

Grant's experience spans Dev - building platforms for regulated industries for more than 10 years. 20+ years in Ops, everything from managing operations in NOCs to mainframe and DBs. He also has over 30 years pushing the limits of (Info)Sec - mostly white-hat.
Grant’s community involvement is global: Staff at BSides (London, Las Vegas, and Cape Town), Goon at DEF CON (USA) for nearly ten years and DC2721 co-founder, staff at BlackHat (USA and EU), and OWASP Global Board member.

Maintaining Crypto Library for 12 Languages by Anastasiia Voitova

Thursday November 26th - Check out the streaming feed!

Abstract:

Maintaining cross-platform cryptographic library is a journey full of unexpected bugs, language-specific hacks, difficult decisions and endless struggle to make developer-facing APIs easy-to-use and hard-to-misuse.
We will talk about API design, multi-platform specifics (oh Apple), testing and supporting documentation. The talk will be useful for anyone who has their own open source project; or uses one :)

Bio:

Head of Customer Solutions, Security Software Engineer @CossackLabs
Anastasiia is a software engineer with a wide background, she started her career as a mobile developer, then deepen into security engineering. Now she is focused on cryptography/applied security, she helps companies to build secure yet usable systems (oh yes, it takes efforts).
Anastasiia maintains open-source cryptographic library Themis, conducts secure software development training, often speaks at international conferences, co-organizes cyber-security events and leads security chapter at WomenWhoCode Kyiv.

OWASP Amass: You Can't Protect What You Don't Know You Have by Jeff Foley

Thursday November 26th - Check out the streaming feed!

Abstract:

The OWASP Amass Project provides a tool to help information security professionals perform attack surface mapping and asset discovery using open-source information gathering and network reconnaissance. Attack surface mapping is an important task for red teams and blue teams, yet also filled with many steps, making it tedious and error-prone. The OWASP Amass Project allows information security professionals to bring automation and organization to their asset discovery process. This focus area is growing in importance as CISOs report that complexity is their number one challenge due to the need to protect more assets, while technology and people are being spread further across the Internet, creating a more dynamic and less predictable attack surface.


Agenda:
- Introduction to the OWASP Amass Project
- Share Observations and Challenges from Amass
- Demonstrate Basic Features of Amass
- Discuss Future Directions
- Questions

Bio:

Jeff Foley is the founder and project leader for Amass. Jeff also serves as a Principal Consultant at ClaritySec, Inc. and as an Adjunct Professor at SUNY Polytechnic Institute. Prior to this, he was the US Manager for Penetration Testing & Red Teaming at National Grid. In his spare time, Jeff enjoys experimenting with new blends of coffee, automating security tasks, and giving back to the information security community.