With 25+ presentations to choose from, I cover everything from #securecoding and #threatmodeling to AI risks and #AppSec—always with humor, clarity, and actionable takeaways.
These aren’t just talks—they’re lessons your team will remember.
2/3
With 25+ presentations to choose from, I cover everything from #securecoding and #threatmodeling to AI risks and #AppSec—always with humor, clarity, and actionable takeaways.
These aren’t just talks—they’re lessons your team will remember.
2/3
I just saw this paper by Dinis Cruz on #ThreatModeling with #LLMs. I've been thinking along these lines for a while, but he's written it down completely and cogently. I agree with a lot of what I have read so far (Haven't finished it yet)
Edit: @WiseWoman called my attention to the fact that Dinis lists "ChatGPT Deep Research" as a co-author(?). Sigh. No wonder this text passed the sniff test. It's so full of chatbot output he gave the chatbot co-author credit.
Ah well. Some of it is right. But now the inconsistencies make sense.
I decided to share some of my observations that would benefit you if you are building applications: a deep dive session into the archetypes of attackers.
This session is for people who are developing software of any kind. It could be an API endpoint, a blog, or a complex application used by millions.
Join in or share with smart people.
Let me help you!
https://talkweb.eu/whos-attacking-you/
#cybersecurity #threatmodeling #zerotrust
I have seen a lot of efforts to use an #LLM to create a #ThreatModel. I have some insights.
Attempts at #AI #ThreatModeling tend to do 3 things wrong:
1/n
Get pumped for #OWASP Global #AppSec EU in May! Enhance your experience by becoming a Mentor and building lasting connections while assisting others on their journey! Don't miss out, sign up here: https://owasp.wufoo.com/forms/zk2cdkr1qla6o8/ #CyberSecurity #AI #threatmodeling #Barcelona #devsecops #infosec
"The Signals Network (TSN) and the Reynolds Journalism Institute (RJI) are launching comprehensive training for journalists working with sensitive sources.
The training modules will live permanently on TSN’s website and be free to access."
https://rjionline.org/news/protecting-the-protectors/
#journalism #whistleblowers #digitalsecurity #privacy #threatmodeling
Some of my colleagues at #AWS have created an open-source serverless #AI assisted #threatmodel solution. You upload architecture diagrams to it, and it uses Claude Sonnet via Amazon Bedrock to analyze it.
I'm not too impressed with the threats it comes up with. But I am very impressed with the amount of typing it saves. Given nothing more than a picture and about 2 minutes of computation, it spits out a very good list of what is depicted in the diagram and the flows between them. To the extent that the diagram is accurate/well-labeled, this solution seems to do a very good job writing out what is depicted.
I deployed this "Threat Designer" app. Then I took the architecture image from this blog post and dropped that picture into it. The image analysis produced some of the list of things you see attached.
This is a specialized, context-aware kind of OCR. I was impressed at boundaries, flows, and assets pulled from a graphic. Could save a lot of typing time. I was not impressed with the threats it identifies. Having said that, it did identify a handful of things I hadn't thought of before, like EventBridge event injection. But the majority of the threats are low value.
I suspect this app is not cheap to run. So caveat deployor.
#cloud #cloudsecurity #appsec #threatmodeling
it's lucky for some team out there that i find few things are as satisfying as transmogrifying a team of 3 into a team of 9. or 90 into 270.
even i know that's good math! they start spotting problems before they get in front of me for their second and third #threatmodel.
i have experience in managed services, vuln management, IR, forensics, cloud architectures, saas vendors, HPC, docsis/fiber/firewalls/ids/ips/MFA/u2f/pki
my #jobsearch continues, most of my search is focused around PHL or Toronto/GTA and remote looking for:
1. a crew & leadership with a culture of collab & support; shared responsibility model ;)
2. they're okay with me floating between IA & PA
3. if they're in canada might they sponsor plz
i would love an org that wants to implement a culture of #threatModeling and #privacy because i can turn software engineers into #security and privacy resources in about 12-18mo.
Boiler up!
I will be a guest of CERIAS’s Weekly Security Seminar Series!
In a talk called “Risk is Not Axiomatic,” we will discuss how systems are secured at a practical engineering level and the science of risk. As we try to engineer secure systems, what are we trying to achieve and how can we do that?
Register now to reserve your spot!
Date: February 12, 2025 @ 4:30pm ET
Location: Zoom
https://shorturl.at/IOtMx
Not the biggest question right now, for sure, but one that still has worldwide effects:
With the ongoing #BrainDrain (aka #layoffs) and meddling in US institutions, how will software security analysis be affected? Can #NVD still be trusted with being the main source of #CVEs in many popular tools?
Should e.g. Europe build up own capacities in vulnerability analysis and set up own databases? Are there existing solutions already?
#infosec #cybersecurity #threatmodeling
so many #threat modeling workflows are uncivilized, creaky, positively antediluvian.
#threatmodeling should be modern, configured as code, a creative, collaborative romp to reify a defensive strategy that outmaneuvers attackers.
thus, this yule, my deciduous.app co-conspirator @rpetrich and I bear a gift: Deciduous-VS, a #VSCode extension to build and visualize decision trees within your IDE (== local dev for classified/regulated envs, too)
learn more in my post: https://kellyshortridge.com/blog/posts/deciduous-for-vscode-local-decision-tree-editing/
On a list I'm on, someone asks for advice protecting a small trans support org worried about e.g. keeping their membership list safe.
Several people respond, "Talk to company <x>, they help non-profits secure infra."
I look at <x>. Its flagship product automates managing security controls in apps like Google Workspace and Slack.
I'm like, this isn't going to help when the subpoenas start flying. Y'all need to change your threat model.
#smdh #infosec #threatModeling #politics #USPol
Calling all Trainers! The exciting opportunity to be part of #OWASP Global #AppSec EU as a Trainer is here! Join us in Barcelona to showcase your 1, 2, or 3-day training course. Don't miss out, submit your proposal today: https://sessionize.com/owasp-global-appsec-eu-2025-cft/
#OWASP #AppSec Days India is almost here! Join us on November 14-15 for top-notch speakers and tons of valuable insights. Don't miss out! Register now at: https://www.eventbrite.com/e/995548892537?aff=oddtdtcreator
Exciting news! #OWASP #BeNeLux is happening next month! Check out the amazing lineup of speakers and training courses. Don't miss out on this FREE must-attend event! Register now at https://www.owaspbenelux.eu/
#OWASP #BeNeLux takes place next month! Take a look at our fantastic line up of speakers and training courses available. REGISTER NOW, this is an event you will not want to miss! https://www.owaspbenelux.eu/
As privacy advocates and cybersecurity pros, we know that maintaining control over our digital footprint is a constant battle. In 2024, the threat landscape continues to evolve, requiring more advanced, proactive approaches to defend both our privacy and security.
Here are key strategies for staying ahead of the curve:
1. Update Vigilance
Staying on top of OS and software updates is still one of the most effective ways to avoid exploits. Remember that vulnerabilities like BlueBorne and WPA2's KRACK have been successfully exploited but mitigated by timely patches. For those who prioritize control, manual updates are still the way to go. Review each changelog to assess any privacy concerns (i.e., telemetry changes).
2. Minimalism as a Strategy
The fewer programs you use, the smaller your attack surface. When it comes to privacy and security, minimalism isn't just a lifestyle—it's a tactic. Evaluate the software you install: does every app or service truly align with your goals? Stripping back unnecessary software reduces risks.
3. Linux: A Secure, Customizable Option
Consider adopting Linux for its robust control over security and privacy. Debian-based systems are known for stability, and with proper configuration, they provide a minimalistic and privacy-focused environment. Don't just stop at installation: configure your firewall, DNS, and daily operational scripts to reduce leaks and improve defense.
4. Virtual Machines (VMs) for Containment
VMs, especially when combined with open-source virtualization software, offer excellent containment strategies. Whether you're doing OSINT, sandboxing risky software, or simply adding layers of defense between your host machine and the web, a well-configured virtual environment can drastically reduce exposure. This method is especially effective for isolating specific tasks, preventing cross-contamination between applications or services.
5. Advanced Browser and DNS Configuration
Use privacy-focused browsers like Firefox with hardened settings and explore the use of container tabs to isolate browsing sessions. For additional protection, employ DNS-over-HTTPS (DoH) or DNS-over-TLS to encrypt your DNS requests, mitigating man-in-the-middle attacks. Consider decentralized DNS services as a next step.
6. Firewall and VPN Integration
Layering firewalls with VPNs is essential. But go further: implement firewall rules that ensure your system doesn't make any network requests unless the VPN is active. This can protect you in case of VPN failure, ensuring that your data never travels over insecure networks.
7. Use of Public and Private Keys for Authentication
Where possible, replace traditional passwords with public-key cryptography for authentication. This drastically reduces the threat of brute-force attacks and compromises on services requiring authentication.
8. Steganography & Disinformation
Beyond encryption, consider steganography for hiding critical data in plain sight. As an added layer of security, practice disinformation tactics: provide plausible but fake information that misleads adversaries, ensuring they pursue dead ends.
9. Breach Monitoring and Response
With the rise in data breaches and logs from stealer malware, proactive monitoring of breach data can help defend against credential stuffing and identity theft. Regularly check breached data sites and consider using tools to alert you if any of your data appears in a public leak.
10. Self-Hosting for True Control
Take your privacy into your own hands by moving toward self-hosted solutions where possible. Whether it’s email, file storage, or other critical services, self-hosting allows you to maintain full control over your data and avoid the vulnerabilities that come with cloud providers.
Stay safe, stay secure, and continue advancing your privacy and security strategy for 2024. The adversaries aren’t getting any slower; neither should we.
It's not too late to sign up for #OWASP Global #AppSec SF! Get ready for top-notch 1,2, or 3-day training from Sept. 23-25 (some courses offer a virtual option!), followed by conference and expo days on Sept. 26-27. Secure your spot NOW! https://sf.globalappsec.org/
OWASP AppSec Days Singapore is coming soon on October 1-2!
This 2-day event is specifically designed for infosec professionals.
We have a great lineup of speakers for Oct 2, including Abhijit Chatterjee, Brian Reed, Vikas Khanna, and Surya Subhash.
Register to attend now on our website to attend training sessions from experts in their fields, and listen to these speakers and more.
REGISTER
https://owaspappsecdayssingapore2.rsvpify.com/?securityToken=3jRkInslc6YdgQ7200JZeG1RIGerJHzw