Speaker Details of OWASP Delhi Meeting Oct 2010

 = Megha Anand =

 Megha Anand  is working as a Senior Security Consultant in E&Y and also leading null Delhi Chapter. She has total experience of 4.9 years. Prior to E&Y, she was working with Tata Consultancy Services where she was part of global consulting practice as security consultant. She has done Masters in Computer Application from SNDT University, Mumbai.

Her exposure primarily lies in penetration testing, application security reviews, application security testing, application architecture reviews, threat modelling & security policy governance in banking domain. She also conducts numerous application security trainings in her company.

Topic: Threat Modelling
"You cannot build secure systems until you understand your threats. Threat modeling is essential to a secure enterprise" - Michael Howard

Threat Modeling is a process of assessing and documenting a system’s security risks. This process enables development teams to better understand the threat that a component will have to face after release. A threat model can help a team figure out how to organize their security efforts such as determining the scope and focus of penetration testing and fuzzing efforts. With techniques such as entry point identification, privilege boundaries and threat trees, you can identify strategies to mitigate potential threats to your system. Your security threat modeling efforts also enable your team to justify security features within a system, or security practices for using the system, to protect your corporate assets.

The key to threat modeling is to determine where the most effort should be applied to keep a system secure. This is a variable that changes as new factors develop and become known, applications are added, removed, or upgraded, and user requirements evolve. Threat modeling is an iterative process that consists of defining enterprise assets, identifying what each application does with respect to these assets, creating a security profile for each application, identifying potential threats, prioritizing potential threats, and documenting adverse events and the actions taken in each case.

= Angad Singh & Rohit Shah =

Angad Singh and Rohit Shah are currently working with KPMG. They have extensive experience in information security assessment of varied IT systems ranging from infrastructure to applications. They specialize in application and network penetration, database auditing, configuration review and network architecture analysis.

Topic: VOIP: Emerging Threats and Defenses
Voice over IP (VoIP) has finally come of age and is being rapidly embraced across most markets as an alternative to the traditional public-switched telephone network. VoIP is a broad term, describing many different types of applications (hard phones, softphones, and so on), and using a wide variety of both proprietary and open protocols (SIP, RTP, H.323, and so on). Most major enterprise VoIP vendors are integrating the upcoming protocols into their products. As a result, VOIP-specific attacks such as registration hijacking, BYE call teardown, and INVITE flooding are also likely to emerge.

There is no one time fix for solving current and emerging VoIP security problems. Rather, a well-planned defense-in-depth approach that extends your current security policy is your best bet to mitigate the current and emerging threats to VoIP.