The Open Web Application Security Project (OWASP) Los Angeles Chapter has teamed up with the Orange County, Inland Empire, San Diego, and San Francisco Bay Area chapters to bring you another great AppSec California. Join us and your peers for amazing talks and networking on January 22-25, 2019!
Thursday, January 24 • 4:20pm - 5:10pm
Offensive Threat Models Against the Supply Chain

Sign up or log in to save this to your schedule and see who's attending!

Feedback form is now closed.
Threat models are often used by security champions to discover flaws in application environments. Many threat models are built thru defensive lens, foregoing realistic attack patterns that reflect adversarial goals vs. simply using a limited, non-mutable threat category.

This talk will focus on applying a more adversarial threat model to supply chain systems that are integrated into client environments. Supply chain software is highly attractive to cybercrimnals due to being implicitly trusted by many of the [vendor] respective client infrastructuress. Threat actors in this area include nation states, competing corporations, and private hacker syndicates. Emulating realistic offensive attack patterns in threat models yields better results for defensive measure by providing attack patterns that are more realistic based upon criminal cyber trends.

Goals for this talk will be as follows:
- View a sample threat library for Supply Chain threat models
- Understand threat sources that substantiate these types of threat models
- Exemplify the threat model against a real world MNCs (one or two will be exemplified)
- Build a sample attack tree to blueprint exploit development and testing
- Understand how an operationalized attack tree yields granular countermeausres development and more specific risk reduction measures for the application
- See how such an exercise can bolster other activities in a security program (vendor risk management, legal/ procurement, etc.) in order to shore up supply chain risks associated with a given threat model.

avatar for Tony UcedaVelez

Tony UcedaVelez

CEO, VerSprite
Talk to me about organizational and application threat models, risk centric threat modeling, OSINT for threat modelers, building dynamic threat libraries, building a dynamic attack surface for applications. Always interested in RCE and PrivEsc zero days you may be cooking up...

Thursday January 24, 2019 4:20pm - 5:10pm
Terrace Lounge