Posts

, ,

OWASP BeNeLux Days 2018

I love working with OWASP because I strongly believe in the values of knowledge sharing and community building. I personally started the OWASP Belgium chapter in Belgium in 2005. Today, I am also very active as co-leader on the OWASP SAMM project.

When I started my company Toreon (cyber security consulting), I tried to instil the same values to the business. I attracted people with the same mind set of knowledge sharing. Now many of my colleagues are active at OWASP and Toreon’s Steven Wierckx is the project leader on the OWASP Threat Modeling Project.

We believe that donating time and money to open source projects and the OWASP community can really improve the overall security of software (realising Toreon’s mission of ‘Creating trust for a safer digital society’).

At the same time we learn a lot by being active in these projects and we build a network of specialists and friends within the OWASP community.
We also put our money where our mouth is: Toreon is a proud sponsor of the OWASP Belgium chapter and the upcoming OWASP BeNeLux Days on the 29th and 30th of November in Mechelen, Belgium, which has great free trainings and line-up: check it out here.
Make sure to come to the conference and if you can, become a (personal or corporate) OWASP member! And please tell all your friends and colleagues about OWASP.

At the conference, come and say hi at our booth! You can win a book from Adam Shostack on Threat Modeling or a Google AI do-it-yourself kit with an intelligent camera and Raspberry PI.

, ,

CoderDojo @ Toreon

Sinds het begin van dit schooljaar gaan de CoderDojo-sessies voor de afdeling Antwerpen-Centrum door in het vernieuwde kantoor van Toreon. CoderDojo stimuleert kinderen van 8 tot 16 jaar om te experimenteren met technologie en programmeren. De jongsten onder hen leren spelletjes programmeren met Scratch. Wanneer hun interesse groeit, schakelen zij over op mBot, het besturen van robotjes, of micro:bits, een cool micro:bit-bordje programmeren tot bijvoorbeeld muziekinstrument of wekker. Andere kinderen die meer met elektronica willen experimenteren doen dit via Arduino UNO bordjes waarmee ze ledjes, displays, motoren en andere elektronicacomponenten aansturen.

Tijdens de dojo van oktober hebben enkele kinderen de mBot in elkaar gestoken. Te beginnen met het in elkaar vijzen van het wagentje. Dan werd de controller, op basis van Arduino, geplaatst. Vervolgens werden de motoren, en sensoren aangesloten. Als resultaat hebben ze het robotje geprogrammeerd en laten rijden. Het eindresultaat is te zien op de foto. Proficiat aan alle deelnemers!

De coaches en Toreon kijken al uit naar wat de kinderen nog allemaal van moois en inventiefs gaan maken. Het resultaat wordt bepaald door de fantasie van het kind en is dus altijd een verrassing. Surf naar CoderDojo voor meer informatie en inschrijvingen.

 

Samenwerken brengt je verder.

Consultants in de dop.

Opperste concentratie.

De mbot rijdt!

 

 

, ,

New Whiteboard Hacking Training: Advanced and for Pentesters

One of Toreon’s key values is the gathering and sharing of knowledge. We try to encourage our own people to do this all the time and actively facilitate this. Knowledge grows exponentially when shared and combined with people of all knowledge levels, even if they come from different IT security domains.

This made us realise that we have a lot of knowledge to share. We see it as our duty to help train top notch IT security specialists. First we started to train the Toreon employees and later on also clients’ employees, which we have been doing for several years now. All this knowledge is now also available for your organisation. The better your people are trained and prepared, the more we can all focus on our main objective: creating a safer digital society.

We have expanded our knowledge base and have finetuned our workshops and trainings and are now also offering them to be booked for conferences and in-house company training.

Our Whiteboard Hacking training has been doing so well (OWASP AppSec Europe 2017 in Belfast, Northern Ireland – Black Hat USA 2017 in Las Vegas, USA – O’Reilly conference 2017, NY, USA) that we’ve developed an advanced version, which is already scheduled for Black Hat 2018 (USA and Europe) and BruCON 2018 (Ghent, Belgium):
BlackHat Las Vegas, USA (August 2018)
BlackHat London, UK ( December 2018)

We recently started with versions for pentesters and DevOps engineers: Offensive whiteboard hacking for penetration testers. Already available at:
– BruCON 2018, Ghent, Belgium (October 2018)
– DevSecCon 2018 London (October 2018)

Check out all the details of our available AppSec trainings.

Contact us for an in-house training offer, tailor made to suit your needs.

, ,

Our ‘Adding Privacy by Design in Secure Application Development’ talk at OWASP London

On 5-June Seba delivered the talk “Adding Privacy by Design in Secure Application Development” at the OWASP Europe conference in London.

Seba addressed the complex GDPR challenge for developers as part of a Secure Development Lifecycle approach.

The presentation covered:

• GDPR requirements covering design, data lifecycle, users and end of life aspects
• Privacy by Design challenge
• Including GDPR in the Secure Development Life Cycle
• Mapping OWASP SAMM to the GDPR
• Integrating privacy in application security classification, awareness training, guidelines, AppSec champions, threat modeling, 3rd parties, security testing and incident management
• Introducing GDPR risk patterns

Our talk focussed on practical implementation aspects and demonstrations of real life use cases encountered in our software security and privacy projects.

You can download the slides here.

Threat modeling in 4 steps

We convinced you of the use of threat modeling in a previous post. But where and how do you start? Threat modeling is performed through a series of workshops. Architects, developers and system administrators are guided through the threat modeling process. It is the primary security analysis task executed during the software design stage. Threat modeling is typically performed in 4 steps:

  • Diagram: what are we building?
  • Identify threats: what can go wrong?
  • Mitigate: what are we doing to defend against threats?
  • Validate: validation of previous steps and act upon them

Step 1: diagram the application

In this step, you gain a comprehensive understanding of the mechanics of your application. In other words: you understand what you are building. That makes it a lot easier for you to uncover more relevant and more detailed threats. This also includes the identification of clear security objectives. They help you to focus the threat modeling activity and determine how much effort to spend in the following steps. When you have documented the important characteristics of your application and actors, you can identify relevant threats during the next step more easily.

Step 2: identify threats with STRIDE 

You use details from the previous step in the STRIDE phase to identify threats relevant to your application scenario and context. With STRIDE, you can flawlessly identify what can go wrong.

STRIDE was developed by Microsoft to educate developers on how to think about computer security threats, and is an acronym for:

  • Spoofing: can an attacker gain access using a false identity?
  • Tampering: can an attacker modify data as it flows through the application?
  • Repudiation: if an attacker denies doing something, can we prove he did it?
  • Information disclosure: can an attacker gain access to private or potentially injurious data?
  • Denial of service: can an attacker crash or reduce the availability on the system?
  • Elevation of privilege: can an attacker assume the identity of a privileged user?

Each of these threats is the opposite of a property that you want your system to have. Spoofing – for example – is the opposite of authentication.

Step 3: mitigate identified vulnerabilities

In this step, you review the layers of your application to identify the necessary security controls related to your threats. Vulnerability categories help you focus on those areas where mistakes are most often made.

Step 4: validate

The final step is to validate the whole threat model. Is each threat mitigated or not? And for unmitigated threats: are the residual risks clearly explained and tied into business risks? In the validation step, you also decide and follow-up on the next steps to manage the identified threats.

Do you want to take your application security controls to the next level? Say no to threats and book a seat in our open Hands-on Threat modeling training.

Threat modeling: what is it, how does it work and why is it so important?

You might have heard of threat modeling as a structured activity for identifying and managing application threats. And that’s exactly what it is. Threat modeling – also called Architectural Risk Analysis – is an essential step in the development of your application. Without it, your protection is a shot in the dark.

Multiple security issues, a timely approach

When you create a piece of software, you will face multiple security issues in different phases of the lifecycle, such as security design flaws, security coding bugs and security configuration errors.

Reducing risks effectively equals starting with threat modeling as soon as possible. That is why it is typically done during the design stage of a new application. Threat modeling allows you to find vulnerabilities and to consider, document and discuss the security implications of design, code and configurations.

4 essential steps

Threat modeling is typically performed in 4 steps:

  • Diagram: what are we building?
  • Identify threats: what can go wrong?
  • Mitigate: what are we doing to defend against threats?
  • Validate: validation of the previous steps and act upon them.

Want to gain more in-depth insights about these steps? Read our blog post Threat modeling in 4 steps.

Why you should start with threat modeling

One of the major advantages of threat modeling is that you prevent security flaws when there is time to fix them: in the design phase. But there are many more reasons to start with threat modeling today, such as:

  • You select a mitigation strategy and techniques based on identified, documented and rated threats.
  • You identify and address the greatest risks.
  • You are able to prioritise development efforts within a project team based on risk weighting.
  • You increase risk awareness and understanding.
  • You use mechanisms for reaching consensus and better trade-off decisions.
  • You also make use of threat modeling to communicate results.
  • You benefit from cost justification and support for needed controls.
  • You use artefacts to document due diligence for each software project.

Do you want to discover everything you need to know about threat modeling? And get concrete tools to implement threat modeling in your organisation? Book your seat in our Hands-on Threat modeling course.