SecAppDev 2022 Lecture Details

Persona-based security and threat-modeling

Deepak Subramanian
Wednesday June 15, 14:00 - 15:30
Short description

The session will include a presentation about persona-based security leading to persona-based threat modeling. If time permits a small exercise would be held to do a persona-based organizational threat model.

Abstract

A “persona” represents a group of people with similar characteristics. This concept has traditionally been used in sectors such as marketing and design to provide a tailored experience for their target audience. Exploring the possibilities of porting this concept to information security is an interesting and worthwhile endeavor.

In this session, we will explore the details of what personas mean, how to work with them in a security context and apply them for example in threat modeling.

Key takeaway

The details of the meaning of "personas", how to work with them in a security context and apply them for example in threat modeling

Content level

Introductory

Target audience

Organizational security professionals, senior managers, researchers, threat modelers

Prerequisites

General threat modeling, basic understanding of risk, understanding of role-based models like RBAC a plus

Download handouts

Deepak Subramanian

Deepak Subramanian

Expert Security Architect, AXA Climate

I have been in security for quite a long time starting my security journey in web application security, moving to malware analysis and reverse engineering, then worked on information flow control for browser compilers during my PhD, went on to red teaming, followed by being a researcher in a very unique team of experts and presently work as the expert security architect. All these experiences have been invaluable in shaping who I am today. I believe in security experts needing to have programming skills. Seeking enriching conversations in security is a personal passion.

Full speaker profile

Related security processes sessions

Hands-on threat modeling

One-day workshop by Sebastien Deleersnyder

This is a Threat Modeling course for DevOps Engineers to improve reliability and security of delivered software. We will teach an iterative and incremental threat modeling method.

You will perform threat modeling in 4 sprints. Exercises are built upon a fictional system, migrating a legacy system towards a cloud application:

  • Modeling a hotel booking web and mobile application, sharing a REST backend
  • Threat identification as part of migrating the system to AWS
  • AWS threat mitigations for the booking system build on microservices
  • Building an attack library for CI/CD pipelines

Security processes Thursday June 16, 09:00 - 17:00

Solid foundation for a secure future

Lecture by Jaya Baloo

How do we build a better future for information security? This session will discuss the importance of security, along with a path towards a more secure future.

Security processes Wednesday June 15, 16:00 - 17:15

Everything-as-Code - Ideas for a new world of AppSec

Lecture by Abhay Bhargav

Showcasing techniques, tools and practices that underscore and highlight concepts of security-as-code for application security.

Security processes Tuesday June 14, 11:00 - 12:30

Enterprise security architecture and app development

Lecture by Stefaan Van daele

Developing secure code is a good start, but what more could you do from security point of view? This session puts secure application development in the context of an Enterprise Security Architecture model and illustrates how these two processes interact.

Security processes Monday June 13, 11:00 - 12:30

Level up your threat modeling practice

Lecture by Sebastien Deleersnyder

We pulled together our threat modeling vision and strategy with OWASP best practices to create a 'Threat Modeling Playbook'. It shows you how to turn threat modelling into an established, reliable practice.

Security processes Tuesday June 14, 14:00 - 15:30