SecAppDev 2020 Lecture Details

Story-driven threat modeling for the Agile-DevOps age

Abhay Bhargav
Thursday March 12, 14:00 - 15:30
Short description

Find that your Threat Modeling is outmoded, outdated and out of touch with your rapid-release app? Learn how you can change that with "story driven threat models" where you are threat modeling with your Agile Sprint and iterative SDLC


Threat Modeling has largely been done "system-wide". But with modern Agile and DevOps environments, systems are constantly undergoing changes, where a "point-in-time" threat model will be rendered obsolete. Yet, threat modeling is more important than ever before, especially in the age of continuous security.

This talk explores a relatively new approach to threat modeling. The concept is based on modeling stores (as in user stories or feature stories) to arrive at scalable threat models that are granular, iteration-friendly. You will walk away from this talk with new insights into threat modeling, and the inspiration to get started.

Key takeaway

Pratical story-driven threat modeling starting from user stories instead of systems is better suited for an automated DevOps world.

Content level


Target audience

DevOps professionals, application security professionals, application security managers, pentesters


Basic knowledge of application security and threat modeling

Abhay Bhargav

Abhay Bhargav

CEO, we45

Abhay Bhargav is the Founder of we45, a focused Application Security Company. He is the Chief Architect of ÔÇťOrchestron"", a leading Application Vulnerability Correlation and Orchestration Framework. Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA, EU and AppSecCali. His trainings have been sold-out events at conferences like AppSecUSA, EU, AppSecDay Melbourne, CodeBlue (Japan), BlackHat USA 2019, SHACK and so on.

Full speaker profile

Related security activities sessions

Automated software testing and verification

Lecture by Jan Tobias Muehlberg

Discover a technology stack that allows us to construct distributed software systems with well-defined security guarantees. We will address testing, formal verification, and runtime isolation.

Security activities Thursday March 12, 16:00 - 17:30

Application security seen from an enterprise level

Lecture by Stefaan Van Daele

Developing secure code is a good start, what more could you do to improve security posture? The session puts secure application development in the context of an Enterprise Security Architecture model and how these two relate to each other.

Security activities Thursday March 12, 16:00 - 17:30

From the OWASP Top Ten(s) to the OWASP ASVS

Lecture by Jim Manico


Security activities Monday March 9, 14:00 - 15:30