In my Behavioral Security Modeling talk at OWASP AppSec USA 2011, I promised a white paper on BSM.
Since then, I enlisted the aid of Karl Brophey, a friend who has a
wealth of experience in software development and architecture, and the
result of our collaboration is finally complete! I’m pleased to formally
announce the release of the first BSM white paper, “Behavioral Security
Modeling: Functional Security Requirements.” Karl and I will be
speaking about the paper
today at Secure360 in St Paul. Hope to see you
there!
Abstract:
Defining functional security requirements is a key component of
Behavioral Security Modeling, a method to improve security through
accurately modeling human/information interactions in social terms. The
paper proposes a practical, SDLC agnostic method for gathering
functional security requirements by establishing limits on interactions
through a series of questions to identify, clarify, and uncover hidden
constraints. Five categories of constraints are presented, along with
advice and “requirement patterns” to facilitate discussions with
stakeholders and translate business needs into unambiguous security
requirements. General advice on improving constraints, implementation
considerations, security actions, quality assurance, and documenting
post conditions are also discussed.
Version 1.0 disclaimer: this white paper attempts to formally capture
our collective knowledge on how to effectively define functional
security requirements. The next step is to test the theory by
implementing the approach in a number of application development
environments.
I spoke today (May 7, 2012) at
SIRACon,
the first ever conference of the Society of Information Risk Analysts.
Here is the description I submitted for the talk – it is fairly close
to the final product:
Effective, established Risk Management practices fall into two major
categories: management of risk due to accidental damage (safety) and
management of risk due to threats (protection). This talk will present
the case that these are two distinct methodologies, and all information
risk management should be divided into protection functions (like the
Secret Service) and safety functions (like the Aviation Industry),
staffed by different people if possible, due to the differences in
approach, available data, threat behavior, and the cognitive biases of
the risk analysts themselves.
I really enjoyed the day’s talks, and appreciated all the different
perspectives, they all help with our still-immature business of
information risk analysis and information risk management.
I believe there will also be a video of my talk as well, I’ll post a
link to that once it becomes available.
I’m pleased to announce three upcoming speaking engagements in 2012!
First, I’ve been busy working with Karl Brophey on the Behavioral
Security Modeling whitepaper I promised back in
September 2011 at OWASP AppSec USA here in
Minneapolis. Karl has a wealth of experience in software development and
architecture, and we will be publishing the paper and giving a
presentation
at Secure360 in St Paul on May 8. If you are
going, make sure to register for the Secure360 Run/Walk for
ECHO!
Second, I’ll also be speaking the day before (on May 7) at
SIRACon,
the first-ever conference of the Society of Information Risk
Analysts, on “Organizing Risk
Management Programs, or, What I Learned from the Secret Service and the
Aviation Industry,” where I will make the case for splitting up risk
management into two separate functions: information protection (like the
Secret Service), and information safety (like the airline industry).
While I’m excited to be speaking, I’m even more exited to see the other
talks, given by Risk Management thought leaders from around the country.
Finally, I just learned today that my proposal for the ISC2 Security
Congress in Philadelphia was
accepted, and I’ll be speaking on September 10 on “Defending Against
Attacks by Modeling Threat Behaviors,” which will demonstrate how
knowledge of attacker behaviors can be used to evaluate and improve
application and infrastructure design. It’s my attempt to improve upon
traditional threat modeling. The ISC Security
Congress is co-located with the ASIS International
conference, and I’m looking forward to
attending talks from the world of physical security.