Threat Modeling for Web Applications

Presentation Slides: Threat Modelling.ppt

 

Ivan Ristic is a web security specialist and author of mod_security
(http://www.modsecurity.org), the open source web intrusion detection
engine for Apache. He is a member of the OASIS Web Application Security
Technical Committee, where he works on the standard for web application
protection. At the moment he is writing "Apache Security" for O'Reilly,
which will be published in early 2005.

---

Threat Modeling for Web Applications

Threat Modeling is a risk assessment and mitigation practice that
is often forgotten, although a thorough understanding of one's
environment is required to address the correct risks and in the
correct order. This session will address the issues inherent in the
development and deployment of web applications based around Apache
technologies. Using a typical Apache-based system as an example,
attendees will be presented a lightweight threat modeling technology.
In the example we will work to decompose the system, identify the most
common risks, and give examples how they can be addressed. The
end goal of the methodology is to introduce a quick and effective
technique that can be applied to everyday activities, without everyone
having to be a web security expert.