NorthSec 2020 (Online Edition)

Look! There's a Threat Model in My DevSecOps
2020-05-15, 15:10–15:55, Twitch

Threat Modeling is a crucial activity that often gets left out of DevSecOps. This session will present a fast-paced backlog-based approach that doesn’t require tools or slow down development.

What if I told you that you can bring threat modeling into a DevSecOps, CI/CD environment and that you can do it without buying another automated tool? When developers and security professionals alike think about threat modeling, all too often they become obsessed with frameworks like STRIDE, DREAD, PASTA, etc. Threat modeling is predominantly viewed as a heavy-weight, time-consuming exercise that is simply not compatible with high-paced development paradigms. As a result, as organizations shift into DevSecOps paradigms, they commonly scratch threat modeling off their Secure SDLC checklist as simply impossible to implement without breaking their DevSecOps model. They lose sight of the core purpose of threat modeling and as a result are unable to tailor an approach that fits their development lifecycle.

However, the importance of Threat Modeling cannot be understated. Recent surveys show us how effective Threat Modeling is in developing the culture of shared responsibility for security that is at the very foundation of DevSecOps. In this session, we’ll turn the misconceptions about Threat Modeling upside down. We’ll go back to the core purpose of threat modeling. We’ll discuss what components of threat modeling are most crucial, what questions we should be asking and who should be answering them. Ultimately, this will all culminate into presentation of an alternative approach to Threat Modeling. We’ll walk through the details of how to implement a backlog-based approach in any development paradigm and demonstrate how leveraging the user story can enable Threat Modeling to be done without affecting our development timelines.

Alyssa Miller (CISM) is a hacker, security advocate, author, professional, and public speaker with almost 15 years of experience in the security industry. She has always had a passion for deconstructing technology, particularly since buying her first computer at the age of 12 teaching herself BASIC programming. In her career, Alyssa has performed all forms of security assessments but given her developer background, she had a dedication to application security. She specializes in working with business and security leaders to design and deploy effective security programs that create a true culture of shared responsibility and developer enablement.

Alyssa is also committed to evangelizing security. Not only does she speak internationally at various industry, vendor and corporate events, Alyssa also engages in the community through her online content, media appearances, and security community activism. Her journey through security was recently featured in an article by Cybercrime Magazine. She’s also been recognized in Peerlyst’s e-Book “50 Influential Penetration Testers”. Alyssa is board member for Women of Security (WoSEC) and co-host of The Uncommon Journey podcast focusing on the unique stories of security professionals across the community. Finally, Alyssa is an Application Security Advocate for London-based Snyk Ltd.