More dates

    OWASP Training Day - Hamilton (Jan 2024)

    Share
    Gallagher Security HQ - Hamilton
    hamilton, new zealand
    Add to calendar
     

    Event description

    We're pleased to offer our popular OWASP Training Day event in Hamilton, on Saturday, 27th January.

    Thanks to the generous support and assistance of the team at Gallagher, we're able to offer this low-cost training opportunity to interested professionals.

    For this year's Hamilton event, we have two full-day classes on offer: 

    • Threat Modelling: From None to Done (John DiLeo, @gr4ybeard)
    • Like ISO/IEC 27001, but Backwards (Stephen Coates, @securitysteve@mastodon.nz)

    Class Fee: $99.00 per person (plus GST and booking fee)

    Start Time: 8:45 a.m. (Registration check-in opens at 8:00)

    End Time: 5:30 p.m.

    Tea Breaks and Lunch will be provided.

    Class Overview - Threat Modelling: From None to Done:

    This session offers participants an interactive introduction to Threat Modelling and its use as a technique for identifying consequential ("Yes, and...") security requirements for applications and systems. A key focus of this course is applying Threat Modelling as a daily practice within your organisation's system development processes, to improve the overall quality and security of the applications and systems you build and deploy. In addition to addressing key questions around the "Five Ws," the presentation will cover the instructor's "Seven Questions" approach (adapted from Adam Shostack's "Four Questions") to developing a model, and include several interactive exercises to provide direct experience. A brief review of available modelling tools will also be included, along with a discussion of the opportunities and challenges for introducing Threat Modelling into your SDLC.

    Topic Outline:

      • Introduction - Overview and Initial Modelling Exercise
      • The Five Ws of Threat Modelling
      • Modelling Approach - DiLeo's Seven Questions
      • Identifying the Scope - What are we building?
      • Identifying Threats - What could go wrong?
      • Risk Management Overview
      • Identifying Mitigations - What *could* we do about it?
      • Selecting Mitigations - What *will* we do about it?
      • Verification and Validation
      • Getting Started - Incremental Threat Modelling
      • Tools for Creating Threat Models
      • Integrating with the SDLC

      Your Trainer: John DiLeo

      Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter. In his day job, John is a lead Solution Architect at IriusRisk, covering the Asia/Pacific region. Before joining IriusRisk, John led the Application Security Services team at Datacom, providing support and guidance to clients in launching, managing, and maturing their enterprise software assurance programs.

      Before turning to full-time roles in security, John was active as a Java enterprise architect and Web application developer. In earlier lives, John has been a full-time professor and had specialised in developing discrete-event simulations of large distributed systems.

      John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, leads the OWASP State of AppSec Survey Project, and is a member of the OWASP Education and Training Committee.

      Class Overview - Like ISO/IEC 27001, but Backwards:

      ISO/IEC 27001 details the requirements of an Information Security Management System (ISMS). This risk-based framework gives a systematic approach to managing the confidentiality, integrity and availability of critical organisational information. Mandatory clauses 4-10 are at the core of the standard, covering the context of the organisation, leadership, planning, support, operation, performance evaluation, and improvement. It's a framework that has an embedded set of comprehensive controls based on good practice in information security. Implementing the framework and the relevant controls helps organisations protect themselves from the consequences of the risks they face.

      However, as a consultant, Stephen Coates has witnessed a number of failed ISMS implementation projects. These are often due to a combination of focussing on the ISO/IEC 27001 mandatory clauses in sequence (from 4 to 10), treating these as the project plan and running out of steam, and trying to reimplement all of the Annex A controls at once. In this full days’ training, Stephen will examine some of those failures and propose the novel and strategic approach of working backwards, so that improvements, reviews, audits, metrics and operation are addressed earlier, rather than later or not at all.

      It’s going to be a bit like assembling a jigsaw puzzle, starting with the final image in mind, finding the pieces for the outer frame, and then working our way through all the middle pieces. This method offers a fresh perspective and will lead us to insights we would not have gained by starting at Clause 4.

      Topic Outline:

        • Welcome and Introductions
        • Overview of ISO/IEC 27001; Significance of each mandatory clause
        • Group Exercise: Set the scene; allocate teams and roles
        • Forward Approach to Clauses 4, 5, and 6
          • Detailed exploration of Clauses 4 (Context of the organization), 5 (Leadership), and 6 (Planning)
          • Group Exercise: Applying the mandatory clauses to our scenario
        • Flip the Script to Clauses 10 to 8
          • Begin with Clause 10 (Improvement), discussing how to integrate continuous improvement from the start
          • Address Clause 9 on performance evaluation, ensuring we have the right metrics and targets 
          • Move to Clause 8, we tackle the operation of the ISMS, connecting it back to performance evaluation and improvement;
          • Cheat Mode: Overview of CIS Controls v8 and Implementation Group 1 (IG1)
          • Interactive Session: Group discussion on the Backwards Method
        • Reinforcement and Practical Application
          • Introduce Clause 7 (Support), ensuring the resources and awareness needed for the ISMS
          • Revisit earlier work on Clauses 6, 5 and 4, integrating with the Backwards Method and highlighting typical gaps and gotchas
        • Final Exercise: Forwards application of ISO/IEC 27001 to our scenario
        • Q & A, Lessons indicated, and Wrap-up

        Your Trainer: Stephen Coates

        Stephen Coates is a pragmatic InfoSec Consultant in the governance, risk management, and compliance (GRC) space. He has come a long way since starting out as a software student apprentice, back in 1980s England. He now has many years of experience that cover information security, cloud, risk management, privacy, e-commerce, IT infrastructure and IT Service Management. Having worked in these fields for so long, he's accumulated a wealth of war stories and a treasure chest of badges and certifications, and he is also a PECB ISO/IEC 27001 Lead Auditor.

        Team Discounts - For multiple registrations in a single order:

        • 6 - 10 tickets in total: 10% off the entire order
        • 11 - 15 tickets in total: 15% off the entire order
        • 16 or more tickets in total: 20% off the entire order

        Discounts will first appear, and will be applied, on the Payment page.

        Questions? Please contact the Training Day Team.

        Powered by

        Tickets for good, not greed Humanitix dedicates 100% of profits from booking fees to charity

        This event has passed
        Register