Gamification of Threat modeling

Place: OSL-SKO-3-Auditorium, 3. etg, Karenslyst Allé 56, Skøyen

• 17:00-1730 - Food serving
• 17:30-18:15 - Gamification of Threat Modeling for Machine Learning, Elias Brattli Sørensen
• 18:15-19:00 - Let’s play OWASP Cornucopia! Johan Sydseter

Gamification of Threat Modeling for Machine Learning
Artificial Intelligence (AI) has established itself as an important part of our lives, with machine learning spearheading the most notable innovations in the last two decades. Publications about prompt injection and similar attacks get a lot of attention. However, these are far from the only security issues with machine learning systems. We also have to think about challenges like poisoned data, recursive data pollution and all the personally identifiable information the models have memorized, as well as other inherent weaknesses with stochastic systems. Too much focus is directed towards operational security in the OPS part of of MLOps, while the shift-left idea of building systems "secure by design" during planning and development does not get enough emphasis. Threat modeling and risk analysis will likely play an important role in the future of machine learning security. I introduce Elevation of MLsec, which is an extension of Shostack's threat modeling card game Elevation of Privilege, and based on the risk framework published by the Berryville Institute of Machine Learning (BIML). In this talk, we will demystify how machine learning systems actually work and explore how the threat modeling game can help us engineer more secure machine learning systems.

Let’s play OWASP Cornucopia!
OWASP Cornucopia is a card game to assist software development teams identify security requirements in agile software development processes. It is language, platform, and technology agnostic.

In this session we will learn to play the game in a different way from what we usually do. Johan Sydseter, OWASP Cornucopia co-lead and game master will take you through a provocative scenario. Confronted with the grumpy old senior developer that refuses to shift-left due to too many hours working overtime on his incredible sophisticated pet projects, what will you do? Will you be able to teach him a lesson about why security is important, or will he be laughing all the way to his developer cave? Only true passionate application security engineers will succeed. Expect confetti, swags, (yes, you read right, swag, valued just below the corruption limit) and illegal bribes as you venture into the unknown of OWASP Cornucopia.

Speakers

Elias Brattli Sørensen is a software engineer & security champion at Kantega SSO, engineering digital identity standards for secure authentication to the Atlassian ecosystem while facilitating and promoting secure software development practices. M. Sc. in Computer Science at NTNU, researching usage of static analysis tools like Spotbugs to find vulnerabilities in OpenID Connect client implementations.

Johan Sydseter is co-leader for OWASP® Cornucopia and Co-creator of the OWASP® Cornucopia Mobile App Edition. The man with the long hair, not the long beard. Fresh meat in App Sec and OWASP but has 15 years' experience building and designing backend and frontend solutions as a designer, developer and architect. He has held several presentations on appsec at various international conferences, loves confetti and funny glasses.

About OWASP and OWASP Chapter meetings
OWASP is an online community that produces freely available articles, methods, documentation, tools, and technologies in IoT, system software, and web application security.
OWASP Chapters exist to build a community of application security professionals worldwide. Our Oslo OWASP Chapter's meetings are free and open to everyone to attend, so both members and non-members are always welcome. Local meetings include:

• Training to improve your skills
• Lectures that are relevant to your work
• Networking capabilities