Value Driven Threat Modeling - Avi Douglen - AppSecUSA 2018
Value Driven Threat Modeling
What if we could get developers to apply threat modeling techniques, and embed secure design right in the product from the beginning?
Threat Modeling is a great method to identify potential security weaknesses, and can enable architects and developers to efficiently prioritize their security investment, thus mitigating and preventing those vulnerabilities that would most likely cause the most damage.
Unfortunately, though threat modeling provides a far greater return than most any other security technique in a development process, it is apparently "common knowledge" that threat modeling is supposed to be heavily resource intensive, require a full team of expensive security professionals, take up far too much developer time, and does not scale at all.
But the common knowledge is wrong! In fact, using a lightweight, value-driven approach, skilled development teams can very efficiently ensure that the features they build can protect themselves, the application, and the business value that the features are intended to generate. Value Driven Threat Modeling offers an alternative to top-heavy, big-model-up-front threat modeling, in favor of agility, speed, and integration with the existing development cycle to not just to minimize risk, but to lower security costs.
This talk will describe Value Driven Threat Modeling, and show how to incorporate it into your existing agile methodologies. We will discuss how developers can efficiently threat model their application to improve development, and walkthrough some example scenarios. And of course, we will see how security can participate productively in the agile development process, leveraging developers own habits to their benefit.
Speaker
Avi Douglen
Software Security Consultant, Bounce Security
AviD is a high-end, independent security architect and developer, and has been designing, developing and testing secure applications, and leading development teams in building secure products, for around 20 years.
-
Managed by the official OWASP Media Project https://www.owasp.org/index.php/OWASP...