OWASP SFL meeting - 1 talk + Discussion + Pizza

• What we'll do
Pizza and soft drinks will be provided by Rohini Sulatycki.

Talk: An overview of threat modeling and enumeration

Eduardo B. Fernandez

Threat modeling is a fundamental activity for those designing, maintaining, or administering software systems. The way a threat is modeled has a big effect on how to handle it and several ways to do this modeling have been proposed. A good model should lead into the systematic enumeration of the threats of a system. We look at several models, including DFDs, Misuse cases, Misuse patterns, Cyber Kill Chain (CKC), Attack Graphs, Attack Trees, and Attack/Defense Trees. We then see methods to enumerate and classify threats, including STRIDE, Use cases and activities, Uzunov, and CORAS. Another aspect are catalogs of threats/vulnerabilities including CVE, CVSS, and CWE, OWASP. We end by considering CPS threats.

Eduardo B. Fernandez (Eduardo Fernandez-Buglioni) is a professor in the Department of Electrical and Computer Engineering and Computer Science at Florida Atlantic University. He has published numerous papers on authorization models, object-oriented analysis and design, cloud computing, and security patterns. He has written four books on these subjects, the most recent being a book on security patterns; he is working now on a book on Cloud and IoT security patterns. He has lectured all over the world at both academic and industrial meetings. He has created and taught several graduate and undergraduate courses and industrial tutorials. His current interests include security patterns, cloud and IoT security, and cyber-physical systems security and safety. He holds a MS degree in Electrical Engineering from Purdue University and a Ph.D. in Computer Science from UCLA. He is a Senior Member of the IEEE, and a Member of ACM. He is an active consultant for industry, including assignments with IBM, Allied Signal, Panasonic, Motorola, Lucent, Huawei, and others.