OWASP Meeting: Threat Modeling and Probabilistic Security

We've got two great talks to present and some holiday refreshments.

The event will be at Facebook’s Seattle office at Dexter Station, 1101 Dexter Ave. They provided this advice for the venue:

Facebook is all about scale, and single occupant cars don’t scale. We are located in a dense and busy neighborhood and parking is not available on site. Please try to use public transportation, carpool, Uber/taxi or bicycle. The event will be on our ground floor meeting space adjacent to the building lobby on Dexter Ave, next to the Starbucks.

Threat Modeling:

Everyone knows you ought to threat model, but in practical reality it turns out to be tricky. If past efforts to threat model haven't panned out, perhaps part of the problem is confusion over what works, and how the various approaches conflict or align. This talk captures lessons from years of work helping people throughout the software industry threat model more effectively. It's designed to help security pros, developers and systems managers, all of whom will leave with both threat modeling lessons from Star Wars and a proven foundation, enabling them to threat model effectively.

Probabilistic Security:

There is a tendency among us (security professionals) to think of security in deterministic terms. That was never a good idea and is less so in the age of large distributed services that span the globe and use millions of computers. I'd like to make the case that the best security model is one that mimics organic life that evolves continuously and develops an immune systems that also adapts and evolves. This talk and following discussion will explore a wholly different approach to, and philosophy of, security in large cloud platforms and online services.

There will also be a short briefing on some new declassified research on Certificate Transparency from Brad Hill from FB's security team.

Bios:

Adam (http://adam.shostack.org) is an entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped found the CVE and many other things. He's currently building his 5th startup, focused on improving security effectiveness, and mentors startups as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of "Threat Modeling: Designing for Security," and the co-author of "The New School of Information Security."

Khaja (https://www.linkedin.com/in/khaja) has been in information security since, as he likes to say, 'Before it was fashionable", back in 1990. Over the decades he has worked on a variety of security technologies from chips, embedded devices and computers to operating systems, large online services and cloud computing platforms. He's dealt with security challenges in small startups and some of the largest companies. He has recently joined Google's Security and Privacy team and was previously at Amazon (AWS) and Microsoft. Prior to that he was in a few different startups in Silicon Valley and was cofounder of Cavium Networks - the largest manufacturer of security protocol processors and crypto accelerators.

Brad (https://www.linkedin.com/in/brad-hill-00a2891) @FB