· Why bother modeling?
· Why security defenses don’t work
· Why risk management is broken
· Bridging the valley of death between IT and security
· A secure SDLC (software development life-cycle) for an unsecure world
· Escaping the hamster wheel of pain
· Defining security metrics
· Asset valuation
· Threat damage to asset
· Probability of occurrence
· Qualitative or quantitative?
· Is there ROI on security?
· Compliance drivers: Industry, Government, Vendor-neutral standards
· Threats / attack scenarios
· Assets
· Vulnerabilities
· Countermeasures
· Analyzing your threat model and building a cost-effective security countermeasure plan
· A class exercise
· Vulnerabilities
· Classifying vulnerabilities
· Common threads
· Software design fundamentals
· Enforcing security policy
· Threat modeling of software
· Exposure
· Countermeasures
· Buffer overflows
· Shellcode
· Protection mechanisms
· Address space layout
· Processes and threads
· File access
· Window messages
· Shatter attack
· TCP connections, an overview
· TCP streams
· Summary
· Q&A
· Evaluation