Tuesday, April 19, 2016

Application Threat Modeling in Risk Management

I presented this topic at West Michigan ISC2 Chapter meeting back in February and have been meaning to get the slide deck posted ever since. My apologies for taking so long with it. I wanted to clean up the references section and needed to add attribution in some places. Life gets in the way sometimes, but anyway.... I hope someone finds it useful. I continue to mine these ideas and the information sources that I cite within the slides.

The central concept is that software is still one of the most insecure areas in any enterprise. We put up firewalls, intrusion detection and prevention systems, implement lovely policies and tell our various boards of directors that we're doing all that can be reasonably done. But how do we know we're really applying the most cost effective mitigations to the right assets? How can we really express to non-technical stakeholders the true levels of risk they are accepting? As security professionals, we know the true picture of security sometimes looks pretty bleak, but we need to do better at quantifying that reality in business terms.

This presentation points to some tools and methods that help us do this. I believe these ideas can help management make more intelligent decisions about what kinds of business services or interfaces they want to offer, build the culture of risk management and the consensus needed to start raising the bar on security.

Download the presentation from the Downloads page, or directly here to get the notes: https://goo.gl/lybi09
or just the slides from SlideShare http://www.slideshare.net/MelDrews/application-threat-modeling-in-risk-management