International Course on Computer Security and Cryptography 2009

Last week we had the possibility to attend the 12th edition of the International Cosic Course. This course is biyearly organised by the Cosic research group from KULeuven and the topics handle on Computer Security and Cryptography. The event was sponsored by L-Sec and took place at the Arenberg Castle.

The course itself was very interesting, somewhat mathematical but still educational. You can find the various topics on the Cosic Course site.

The 4-day course began with an introduction into cryptography and PKI. After this introduction the mathematics could start! The second day was a deep dive in various security concepts. The third & fourth day handled on the implementations of these concepts.

The conference dinner at The Faculty Club on Thursday was a nice way to socialise with the presenters.
All in all it was a full-packed week with a lot to learn.

ESSoS 2009

Last week I went to the International Symposium on Engineering Secure Software and System (ESSoS) 2009. I attended the tutorial on Risk Management in Practice – Model Based Security Risk Analysis with the CORAS Method. I must say, it turned out to be an enlightening day.

I think the main conclusion that can be drawn from the audience comments is twofold. On one hand, the CORAS method -with its diagrams- provides in a convenient manner to visualise risk and communicate with the customer about it. On the other hand, it lacks the formality (and to be more specific: the checklists) that other Risk Assessment methodologies offer. The best example of the latter was demonstrated during an interactive workshop in which there was (due to the cumulative security expertise in the room) an ad-hoc explosion of vulnerabilities, threat scenarios and unwanted incidents for a relatively simple scenario.

Doing some google searching on the pointers I got from people in the audience on other Risk Assessment approaches, I found this interesting page on the Europa portal (which does not mention the CORAS method ... yet) that allows you to compare different approaches to Risk Assessement.

If you would like to check out CORAS for yourself, the sourceforge page of the project should be an excellent place to get you started.