Marco Mirko Morana

Marco Mirko Morana

My career in cyber-security spans more than 20 years working in different roles and industry sectors. As a author, besides co-authoring the book on risk centric threat modelling I wrote a book on application security risk management for CISOs and several white papers covering application and software security topics.

Talks and presentations

Threat Modeling AI and Blockchain Applications

June 20, 2025

Talk, OWASP Day, Italy, Viale Lungomare Del Golfo, Cagliari, Italy

The most recent OWASP Italy Day took place on June 20, 2024, in Cagliari, a full-day event dedicated to application security for developers, security professionals, and students. The conference saw approximately 300 people registered, with 200 attendees present on the day. I delivered a talk titled: Threat Modeling AI & Blockchain Applications. My session focused on security-by-design techniques for emerging technologies, including AI and decentralized apps. I explored risks like data poisoning and smart contract manipulation, and shared how to apply threat modeling to these modern use cases. Slides are accessible via the OWASP Italy Day 2025 repository linked in the LinkedIn post here

Threat Modeling Insider: Risk Centric Threat Modeling

August 23, 2022

Talk, Tampa, FL, USA, Tampa, FL, USA

The “Threat Modeling Insider” newsletter brings a combination of guest articles, white papers, curated articles and tips on threat modeling. The content is hosted by Toreon. The title of this interview is “Threat Modeling can be considered as fun as cooking a good PASTA meal.” Note: PASTA in the context of threat modeling stands for Process for Attack Simulation and Threat Analysis (PASTA) but methaphorically speaking can be made as fun as cooking pasta meals. You can read the Q&A of part I of the interview here and part II here

The Talent Shortage in Information Security

February 02, 2020

Talk, CISO West Millenium Alliance Workshop, USA, GREEN VALLEY RANCH, LAS VEGAS, NV, USA

This document captures key takeaways from Day 2 of the CISO West Millennium Alliance Workshop, focusing on strategies to address the ongoing information security talent shortage. The discussion emphasized prioritizing skills over certifications when hiring, assessing candidates’ soft skills, and leveraging recruiters and social media to identify talent. Additionally, the importance of developing internal talent through training programs and career advancement opportunities was highlighted as a crucial approach to meeting staffing needs. You can download the presentation here and look at the event details, presenters bio and talks etc here

Security of Biometric Authentication and Emerging Threats

March 21, 2016

Talk, The Future of Security in Financial Services, Sidney, Australia

This is an interview I gave to FST Media’s The Future of Security in Financial Services event in Sydney and Melbourne, in addition to be part of a distinguished panel of executives across financial services. The topic is “How biometrics authentication can help in mitigating the risk of emerging threats against authentication such as use of banking malware. You can read the Q&A here

How to Stay One Step Ahead of a Fraudster’s Threat

October 27, 2015

Talk, Fraud Summit, The Tower hotel, London England, London, U.K.

The threat of fraudsters breaching organizations continues to escalate, presenting ever-evolving challenges. However, there are effective tools and strategies to combat these risks. By leveraging proactive risk analysis and adopting robust fraud detection and prevention measures, you can stay ahead of these threats. In this session, we will explore the growing wave of cyber threats targeting online banking, including account takeovers, wire fraud, and APT-like malware. We explain H=how a risk-centric threat modeling approach can uncover insights into the tools, tactics, techniques, and procedures employed by fraudsters.

Creating Actionable Intelligence and the Visualization of Big Data Analytics

October 07, 2014

Talk, London, U.K., London, U.K.

Collecting security and fraud data often results in a large, unstructured pool of facts. Adding context transforms data into actionable information, and triangulating multiple pieces creates intelligence indicative of active threats. This session explores how to generate actionable intelligence, the impact of emerging standards like TAXII/STIX on threat information sharing, and strategies for combining internal data with external threat intelligence feeds. You can download the presentation slides from here

Accelerating Early Stage Innovation and Growth in Cyber-Start-Ups

September 16, 2014

Talk, The Global CyberSecurity Innovation Summit, London, U.K.

I participated in a panel discussion focused on the role of incubators, accelerators, and innovation hubs in fostering the growth of early-stage companies. The session explored how these initiatives provide critical support through innovation space, access to equipment, mentorship, and occasionally funding opportunities. Panelists, including key contributors to the cyber business ecosystem, shared insights on empowering the next generation of cybersecurity companies to transform ideas into innovative products and services. You can download the program from here

Securing On-Line Payments Applications

October 09, 2013

Talk, ISACA, Venice, Italy, Venice, Italy

This talk introduces the methodology of risk based threat modeling and how can help designing countermeasures for threats targeting on-line payment systems.
You can download the presentation slides from here

Application Security For CISOs

March 03, 2013

Talk, OWASP Atlanta, GA, USA, Atlanta, Georgia

This document provides an overview of a presentation by Marco Morana from OWASP on developing an OWASP Application Security Guide for Chief Information Security Officers (CISOs). The presentation covers the need for such a guide given the evolving roles and responsibilities of CISOs. It outlines the guide’s structure and contents to provide CISOs with strategic guidance on application security processes, metrics, and technology selection. A four step project plan is also presented for creating the guide based on input from the security community and CISO surveys. You can download the presentation slides from here The OWASP CISO guide can be downloaded from here The OWASP CISO guide printed book can be downloaded from here The OWASP CISO guide presentation on YouTube can be watched from here and also from here The OWASP CISO guide podcast can be listened to from here

Evolving Cyber-threats:banking malware

October 27, 2012

Talk, E-crime Confress Meeting, London, UK

This presentation addresses the evolving threat landscape targeting financial applications, focusing on hacking and malware attacks. It explores the progression of cyber threats from simple intrusions to sophisticated tactics employed by fraudsters, hacktivists, and cybercriminals. The presentation features key statistics on recent data breaches and provides examples of malware and hacking methods used for online and credit card fraud. It also outlines strategies for mitigating these threats, including enhancing client-side security, addressing vulnerabilities in web applications, implementing transaction validation and authentication, and utilizing threat prevention and detection techniques. Finally, it discusses the essential skills, tools, and methods required to support enterprise security strategies as cyber threats continue to evolve.

Privacy and Security

September 15, 2012

Talk, University of Cagliari, Cagliari, Italy, Cagliari, Italy

This presentation covers a lecture to PhD student summer school on security and privacy. The session explores the complexities of privacy by examining the balance between consumer needs, business objectives, and emerging data protection trends. It begins by analyzing how businesses use customers’ private information to drive value, emphasizing the ethical considerations and trade-offs required to maintain consumer trust. The discussion then shifts to the threats facing consumer data, including cyber risks and misuse, while highlighting best practices for safeguarding sensitive information through robust privacy measures. Finally, the session examines future trends shaping data privacy, such as regulatory changes, advancements in privacy-enhancing technologies, and the growing demand for transparency and accountability in handling personal information. You can download the presentation slides from here

Security By Design: SSO

April 15, 2012

Talk, OWASP Cincinnati Chapter, Cincinnati, Ohio

This document explores single sign-on (SSO) architectural design patterns and security considerations for financial web applications. It begins by highlighting the business need for SSO to integrate multiple systems. The document then covers various SSO use cases and design options, including the use of encrypted tokens or a security token service. It further addresses key security aspects such as input validation, session management, authentication, authorization, and other controls. Additionally, it provides threat models, including examples of attack trees and misuse cases related to SSO architectures. Finally, the document presents a security risk framework to guide the secure design of SSO solutions.

Software Security Initiatives

November 24, 2009

Talk, OWASP-Application Security for E-Government, Milan, Italy

This presentation outlines how to initiate a software security program within an organization using a maturity-based, metrics-driven approach. It suggests evaluating the current maturity level, establishing security standards and processes, and integrating security practices across the software development lifecycle (SDLC). Key metrics to monitor include the percentage of issues identified and resolved at each phase of the lifecycle, the average time to remediate vulnerabilities, and vulnerability density.

Web Services Security

August 30, 2009

Talk, OWASP Cincinnati, Cincinnati, Ohio

The document summarizes the top 10 vulnerabilities for web services proposed by OWASP, which were presented by Gunnar Peterson. It discusses each vulnerability including injection attacks, malicious file execution, insecure object references, information leakage, broken authentication, insecure cryptography, insecure communications, failure to restrict access, broken XML, and identity misuse. It also provides countermeasures to address each vulnerability. The document concludes with questions for discussion on how organizations are securing web services.

Application Threat Modeling

November 23, 2008

Talk, OWASP Cincinnati, OH, USA, Cincinnati, Ohio

This presentation covers the topic of Application Threat Modeling (ATM) as a systematic approach to identifying security risks in software applications. It describes how ATM can be used at different stages of the software development lifecycle, from requirements to design to testing. The key steps of ATM include decomposing the application, identifying threats and vulnerabilities, analyzing attack vectors, and determining mitigation strategies. ATM helps prioritize risks and supports decision making around risk acceptance, avoidance, or mitigation
You can download the presentation slides from here

OWASP Top 10 And Insecure Software Root Causes

November 23, 2008

Talk, OWASP Cincinnati, OH, USA, Cincinnati, Ohio

This presentation explores the most common web application vulnerabilities and their underlying causes. It provides an overview of the OWASP Top 10 vulnerabilities, detailing each type, methods attackers use to exploit them, examples of insecure code that facilitate these vulnerabilities, and best practices for secure coding to mitigate them. Key vulnerabilities discussed include cross-site scripting (XSS), SQL injection, malicious file execution, insecure direct object references, cross-site request forgery (CSRF), and information leakage through improper error handling. The document highlights the critical role of secure coding standards and robust input validation in preventing these security flaws. You can download the presentation slides from here

Software Security Engineering & Risk Management

October 29, 2008

Talk, OWASP CISO Breakfast Meeting, Rochester, NY

The document outlines approaches for building secure web applications by establishing software security processes and assessing maturity levels. It covers essential security activities, such as threat modeling, defining security requirements, implementing secure coding standards, conducting security testing, and tracking relevant metrics. The business case for software security emphasizes reducing the costs associated with vulnerabilities, addressing threats to web applications, and mitigating root causes like application vulnerabilities and design flaws.