¤ BayThreat 2010 Presentation
HAZOP Analysis Using This Funky Spreadsheet I Made in My Back Yard
You, or your inexperienced security minion, can find security flaws in
architecture or design quickly and easily using HAZOP analysis. All you
need is a sequential description of what the application does and a clear
definition of the negative security outcomes & attackers you're trying
to prevent from abusing the system. And, of course, this handy spreadsheet
from http://www.octotrike.org/.
This talk will include a quick rundown of getting the right data together,
how to actually do HAZOP analysis, how to do HAZOP analysis in the Trike
spreadsheet, the kind of results you'll get, and some effective ways to use
those results. Experienced security analysts find more holes faster using
this technique. The best part? After surprisingly little coaching, folks
with minimal security experience can use this method to find about 80% of
the design flaws experienced architecture security analysts find using ad
hoc design reviews. And, it's repeatable and consistent, so after your minion
takes the first pass, you can review and build on their work instead of
having to redo the analysis from scratch to figure out whether they've
missed anything.
Slides & Spreadsheet
HAZOP Analysis Using This Funky Spreadsheet I Made in My Back Yard
discusses this
version of the Trike spreadsheet.
|