¤ BayThreat 2010 Presentation
You, or your inexperienced security minion, can find security flaws in architecture or design quickly and easily using HAZOP analysis. All you need is a sequential description of what the application does and a clear definition of the negative security outcomes & attackers you’re trying to prevent from abusing the system. And, of course, this handy spreadsheet from http://www.octotrike.org/.
This talk will include a quick rundown of getting the right data together, how to actually do HAZOP analysis, how to do HAZOP analysis in the Trike spreadsheet, the kind of results you’ll get, and some effective ways to use those results. Experienced security analysts find more holes faster using this technique. The best part? After surprisingly little coaching, folks with minimal security experience can use this method to find about 80% of the design flaws experienced architecture security analysts find using ad hoc design reviews. And, it’s repeatable and consistent, so after your minion takes the first pass, you can review and build on their work instead of having to redo the analysis from scratch to figure out whether they’ve missed anything.
Slides & Spreadsheet
HAZOP Analysis Using This Funky Spreadsheet I Made in My Back Yard discusses this version of the Trike spreadsheet.