NorthSec 2020 (Online Edition)

Look! There's a Threat Model in My DevSecOps
2020-05-15, 15:10–15:55, Twitch

Threat Modeling is a crucial activity that often gets left out of DevSecOps. This session will present a fast-paced backlog-based approach that doesn’t require tools or slow down development.


What if I told you that you can bring threat modeling into a DevSecOps, CI/CD environment and that you can do it without buying another automated tool? When developers and security professionals alike think about threat modeling, all too often they become obsessed with frameworks like STRIDE, DREAD, PASTA, etc. Threat modeling is predominantly viewed as a heavy-weight, time-consuming exercise that is simply not compatible with high-paced development paradigms. As a result, as organizations shift into DevSecOps paradigms, they commonly scratch threat modeling off their Secure SDLC checklist as simply impossible to implement without breaking their DevSecOps model. They lose sight of the core purpose of threat modeling and as a result are unable to tailor an approach that fits their development lifecycle.

However, the importance of Threat Modeling cannot be understated. Recent surveys show us how effective Threat Modeling is in developing the culture of shared responsibility for security that is at the very foundation of DevSecOps. In this session, we’ll turn the misconceptions about Threat Modeling upside down. We’ll go back to the core purpose of threat modeling. We’ll discuss what components of threat modeling are most crucial, what questions we should be asking and who should be answering them. Ultimately, this will all culminate into presentation of an alternative approach to Threat Modeling. We’ll walk through the details of how to implement a backlog-based approach in any development paradigm and demonstrate how leveraging the user story can enable Threat Modeling to be done without affecting our development timelines.