SecAppDev 2022 Lecture Details
Level up your threat modeling practice
Sebastien Deleersnyder
Tuesday June 14, 14:00 - 15:30
Short description
We pulled together our threat modeling vision and strategy with OWASP best practices to create a 'Threat Modeling Playbook'. It shows you how to turn threat modelling into an established, reliable practice.
Abstract
We consider threat modeling a foundational activity to improve your software assurance or product security. Performing a threat modeling exercise is one thing. Scaling it up as a standard practice in an organization is another. Threat modeling is often considered a manual and costly activity with an unpredictable outcome.
We pulled together our threat modeling vision and strategy with OWASP best practices, like OWASP SAMM and the AppSec champion playbook, to create a 'Threat modeling playbook'. With this playbook you turn threat modeling into an established, reliable practice in your development teams and in the larger organization.
Key takeaway
Understand how to build and improve a threat modeling practice to level up your product security.
Content level
Introductory
Target audience
Software developers, architects, product managers, incident responders, and security professionals.
Prerequisites
None

Sebastien Deleersnyder
CTO, Toreon
Sebastien (Seba) Deleersnyder is co-founder and CTO of Toreon. He started the Belgian OWASP chapter and was an OWASP Foundation Board member. With a development background and years of security experience, he has trained countless developers to create more secure software. Leading OWASP projects such as OWASP SAMM, he has genuinely helped make the world a safer place. What’s he currently up to? Right now, he’s busy adapting application security models to the evolving field of DevOps and is also focused on getting the word out on Threat Modeling to a broader audience.
Related security processes sessions
Hands-on threat modeling
One-day workshop by Sebastien Deleersnyder
This is a Threat Modeling course for DevOps Engineers to improve reliability and security of delivered software. We will teach an iterative and incremental threat modeling method.
You will perform threat modeling in 4 sprints. Exercises are built upon a fictional system, migrating a legacy system towards a cloud application:
- Modeling a hotel booking web and mobile application, sharing a REST backend
- Threat identification as part of migrating the system to AWS
- AWS threat mitigations for the booking system build on microservices
- Building an attack library for CI/CD pipelines
Security processes Thursday June 16, 09:00 - 17:00
Enterprise security architecture and app development
Lecture by Stefaan Van daele
Developing secure code is a good start, but what more could you do from security point of view? This session puts secure application development in the context of an Enterprise Security Architecture model and illustrates how these two processes interact.
Security processes Monday June 13, 11:00 - 12:30
Persona-based security and threat-modeling
Lecture by Deepak Subramanian
The session will include a presentation about persona-based security leading to persona-based threat modeling. If time permits a small exercise would be held to do a persona-based organizational threat model.
Security processes Wednesday June 15, 14:00 - 15:30