, , , ,

Keep up to date with the latest Threat Modeling news and insights

Subscribe now to our monthly “Threat Modeling Insider” TMI newsletter – packed full of expert advice and articles to get you started with threat modeling.

Threat modeling has always been a passion and a cornerstone of the security services we provide. It helps to identify and mitigate potential security issues early on, when they are relatively easy and cost-effective to resolve.

This week we start our monthly newsletter “Threat Modeling Insider” (TMI). With this newsletter we promise you valuable and curated content from the field of threat modeling to your inbox on a monthly basis. Topics will include a threat modeling news digest, threat modeling resources, whitepapers, templates and presentations by threat modeling authorities and from our very own Toreon experts.

Subscribe to our monthly “Threat Modeling Insider” TMI newsletter.

A sneak preview

Thursday you’ll receive our first edition of the TMI newsletter including:

Additionally we’ll share updates and news on upcoming appearances and events to catch up with the Toreon team and our training sessions.

In conclusion: interested? Subscribe now and receive your first TMI newsletter on Thursday.


, , , , , , ,

Toreon presents Threat Modeling workshop at SecAppDev 2019

SecAppDev is an intensive one-week course in secure application development. For the 15th year in a row, SecAppDev organizes a leading-edge software security courses for developers, one of them is Toreon’s Whiteboard hacking (aka hands-on threat modeling).

Our White Board Hacking workshops put together everyone involved, such as product owners, architects and developers, to systematically analyze the application being designed and come up with the security measures needed to make it run securely. All of this happens before a single line of code is written!

Learn more about Whiteboard hacking

At SecAppDev our CEO Sebastien Deleersnyder proposes an action-packed 1 day Threat Modeling workshop as taught at OWASP, Black Hat USA and O’Reilly Security conferences. In groups of 3 to 4, participants are challenged to threat model two real-life use cases: a REST-based web application and an on-site IoT deployment.

Registration for the 2019 edition is now closed, but you can learn more about White Board Hacking at O’Reilly Velocity (San Jose), Black Hat (Las Vegas), HITB (Singapore and Dubai) or DevSecCon (London).

Consult the calendar

, , ,

Het belang van informatiebeveiliging voor KMO’s

Dit is de eerste blog van een reeks blogs met als focus ‘informatiebeveiliging bij KMO’s’. In deze blogs leggen we stapsgewijs uit hoe KMO’s de beveiliging van hun informatie kunnen optimaliseren. Deze eerste blog kadert alvast het belang van informatiebeveiliging bij KMO’s. In de opvolgblogs gaan we dieper in op de aanpak.

Het is vandaag ook voor KMO’s ondenkbaar dat ze zonder informatietechnologie en toegang tot het internet kunnen functioneren, laat staan concurrentieel kunnen blijven met de grotere ondernemingen en multinationals die stevig inzetten op digitale innovatie in een wereld waarin producten en diensten sneller en continu beschikbaar moeten zijn via de digitale snelweg.

Er zijn tal van voordelen, maar ook risico’s verbonden aan informatietechnologie. Zo kunnen hackers, concurrenten en kwaadwillige medewerkers uw bedrijfsvoering op tal van manieren schade toe brengen.
Zo kan men:
• uw informatie stelen waardoor u een concurrentieel voordeel verliest.
• uw informatie ook lekken waardoor uw reputatie een deuk krijgt en u mogelijks ook onderzocht zal worden door een toezichthouder (bv. gegevensbeschermingsautoriteit) met boetes als gevolg.
• uw gegevens versleutelen (ransomware).
• uw website/systemen doen uitvallen waardoor de bedrijfscontinuïteit in gedrang komt.

De waarschijnlijkheid, het effect en de zichtbaarheid van informatiebeveiligingsincidenten zijn de laatste jaren alleen maar toegenomen. Bovendien lopen KMO’s een hoger risico aangezien ze over minder IT budget, personeel en expertise beschikken dan grotere ondernemingen.
Het belang van de juiste expertise neemt bovendien voortdurend toe omwille van de toenemende complexiteit van het IT en informatiebeveiliging landschap.
Cybercriminelen beseffen maar al te goed dat kleinere ondernemingen sterk afhankelijk zijn van hun informatie (middelen) en minder goed beveiligd zijn en focussen hun aandacht dan ook vaak op deze gemakkelijke prooien. Dit werd onder meer bevestigd door een onderzoek van Symantec waaruit bleek dat 60% van de cyberaanvallen gericht waren op KMO’s.
Hier tegenover staat (onterecht) dat KMO’s zichzelf als onaantrekkelijke doelwitten zien voor cyberaanvallen en de kans om ooit slachtoffer te zijn als (heel) laag inschatten. Hierdoor blijven KMO’s structureel te weinig investeren in informatieveiligheid.
Vaak begint men pas te investeren nadat men slachtoffer is geweest van een cyberincident. Zoals vaak geldt ook hier dat voorkomen beter is dan genezen en dat men met een aantal gerichte ingrepen de waarschijnlijkheid en impact van incidenten sterk kan beperken.

In de volgende blogpost gaan we dieper in op hoe KMO’s hun risico’s optimaal kunnen beperken, terwijl we rekening houden met de beperktere middelen die KMO’s ter beschikking hebben.

Contacteer je ons liever meteen voor advies op maat van jouw onderneming? Leer ons kennen en stuur een vrijblijvend mailtje.

, , ,

OWASP BeNeLux Days 2018

I love working with OWASP because I strongly believe in the values of knowledge sharing and community building. I personally started the OWASP Belgium chapter in Belgium in 2005. Today, I am also very active as co-leader on the OWASP SAMM project.

When I started my company Toreon (cyber security consulting), I tried to instil the same values to the business. I attracted people with the same mind set of knowledge sharing. Now many of my colleagues are active at OWASP and Toreon’s Steven Wierckx is the project leader on the OWASP Threat Modeling Project.

We believe that donating time and money to open source projects and the OWASP community can really improve the overall security of software (realising Toreon’s mission of ‘Creating trust for a safer digital society’).

At the same time we learn a lot by being active in these projects and we build a network of specialists and friends within the OWASP community.
We also put our money where our mouth is: Toreon is a proud sponsor of the OWASP Belgium chapter and the upcoming OWASP BeNeLux Days on the 29th and 30th of November in Mechelen, Belgium, which has great free trainings and line-up: check it out here.
Make sure to come to the conference and if you can, become a (personal or corporate) OWASP member! And please tell all your friends and colleagues about OWASP.

At the conference, come and say hi at our booth! You can win a book from Adam Shostack on Threat Modeling or a Google AI do-it-yourself kit with an intelligent camera and Raspberry PI.

, , ,

New Whiteboard Hacking Training: Advanced and for Pentesters

One of Toreon’s key values is the gathering and sharing of knowledge. We try to encourage our own people to do this all the time and actively facilitate this. Knowledge grows exponentially when shared and combined with people of all knowledge levels, even if they come from different IT security domains.

This made us realise that we have a lot of knowledge to share. We see it as our duty to help train top notch IT security specialists. First we started to train the Toreon employees and later on also clients’ employees, which we have been doing for several years now. All this knowledge is now also available for your organisation. The better your people are trained and prepared, the more we can all focus on our main objective: creating a safer digital society.

We have expanded our knowledge base and have finetuned our workshops and trainings and are now also offering them to be booked for conferences and in-house company training.

Our Whiteboard Hacking training has been doing so well (OWASP AppSec Europe 2017 in Belfast, Northern Ireland – Black Hat USA 2017 in Las Vegas, USA – O’Reilly conference 2017, NY, USA) that we’ve developed an advanced version, which is already scheduled for Black Hat 2018 (USA and Europe) and BruCON 2018 (Ghent, Belgium):
BlackHat Las Vegas, USA (August 2018)
BlackHat London, UK ( December 2018)

We recently started with versions for pentesters and DevOps engineers: Offensive whiteboard hacking for penetration testers. Already available at:
– BruCON 2018, Ghent, Belgium (October 2018)
– DevSecCon 2018 London (October 2018)

Check out all the details of our available AppSec trainings.

Contact us for an in-house training offer, tailor made to suit your needs.

, , ,

Our ‘Adding Privacy by Design in Secure Application Development’ talk at OWASP London

On 5-June Seba delivered the talk “Adding Privacy by Design in Secure Application Development” at the OWASP Europe conference in London.

Seba addressed the complex GDPR challenge for developers as part of a Secure Development Lifecycle approach.

The presentation covered:

• GDPR requirements covering design, data lifecycle, users and end of life aspects
• Privacy by Design challenge
• Including GDPR in the Secure Development Life Cycle
• Mapping OWASP SAMM to the GDPR
• Integrating privacy in application security classification, awareness training, guidelines, AppSec champions, threat modeling, 3rd parties, security testing and incident management
• Introducing GDPR risk patterns

Our talk focussed on practical implementation aspects and demonstrations of real life use cases encountered in our software security and privacy projects.

You can download the slides here.

, , ,

OWASP threat modeling podcast

Our Steven Wierckx (@iHackforfun) joined the application security podcast to talk about the OWASP Threat Model Project in which he has taken the lead.
Click here for the podcast…


, ,

Gain more insight and create doomsday scenarios for better threat modeling

In previous blogs you could already read about what threat modeling is, and about the 4 steps. In practice, however, threat modeling is more than just a technical analysis of your application. The threat landscape is constantly evolving, and so is your organisation. Therefore, you need to understand the technical and business context, and create doomsday scenarios. As a result, you have a broader insight of the threats to your application.

  1. The ecosystem

Applications are not always stand-alone. On the contrary: they are mostly part of an ecosystem of applications. You need to find out how it works and how it supports your organisation. You also need to have a clear understanding of the security requirements. You should, for example, know what other applications or services the application is exchanging information with.

  1. The business context

What business process is being performed or supported? What are the characteristics of that specific process? And how crucial is that process for your business? You also need to find out who is using the application and identify possible threat actors. In most cases, they fall into one of the following categories:

  • Insider trusted: privileged users
  • Insider untrusted: very regular users, contractors …
  • External trusted: suppliers, partners, service providers …
  • External untrusted: competitors, cybercriminals …

Eventually, you need to identify risks for your business: what is the impact and what is the probability that a certain risk will occur?

  1. The added value of threat modeling

Threat modeling is quite time-consuming and thus expensive. It is therefore only relevant for important applications: those that bring in a lot of revenue or handle important data for your organization.

  1. Create doomsday scenarios

 Doomsday scenarios are hypothetical situations: the worst that could happen for an application – and for your business. Creating doomsday scenarios helps you to proactively anticipate – and even prevent – possibly catastrophic events. You need to describe the following:

  • Threat sources: who would be interested in compromising the applications? Why would this be interesting for an attacker?
  • Impact: what will be the impact of an attack? Some of the possibilities are theft, loss, corruption and disruption.
  • How: how will the scenario be realized? Describe in detail how the attack would be performed.

These scenarios give feedback on your current security situation. You will discover more potential risks and steps to be taken to reduce these risks.

Could you use some more explanation? Click here to download our free ebook.


Security of Normalized Systems

I had an interesting conversation with Prof. Dr. Jan Verelst of the University of Antwerp. They (Prof. Dr. Jan Verelst together with Prof. Dr. Herwig Mannaert) created the theory of normalized systems.

A normalized system is created following a set of rules, which ends up making the software as ‘atomic’ or ‘modular’ as possible. Software modules are split up to the smallest units possible. This creates software that has no ‘ripple effects’, meaning that updating a part of it, adding functions and features, or changing underlying systems needs minimal effort. Software stays nimble and changeable.

After working many years on the theory, they started NSX to bring this concept to market. They have now had several successful projects. I am interested to see if the promise of making systems nimble and easy to change comes true.

Our conversation was about how normalized systems relate to security. In effect, a NS is not secure by default, but there are quite a few benefits when it comes to security:

  • if a flaw is found in the code expander (the ‘blueprint’ of a piece of code), fixing the expander allows for all software based on it to be easily updated to the newer, safer version
  • if there is a problem with the underlying system (OS or hardware), the code can be generated quickly for a different system
  • if a developer introduced a problem in the (limited) human generated code, it is easily tracked and replaced without effects on other modules, since the modularity is so extreme

All in all, I expect great thing from NS. Making code modular doesn’t automatically make it more secure, but it limits the damage and makes it easier to fix.