SecAppDev 2023 - Threat modeling

Threat Modeling is a structured methodology to efficiently analyze complex systems. This can help you identify weaknesses and prioritize appropriate countermeasures. But to maximize its effect, this must be an ongoing practice, not just a one-time activity, so we also introduce a more lightweight "value driven" approach for security-minded developers.

The threat modeling techniques taught in this workshop will guide you in contributing to your product's security, focusing on security features, and designing a secure product architecture.

Learning goal: How to design a secure product with threat modeling. Share useful models to evoke insight and communicate with others. Inspire and convince others to collaborate on threat modeling in a continuous workflow.

This session covers 42 things about appsec. SIX software security zombies. TEN software security flaws. SEVEN software security myths. SEVEN startup lessons. FOUR CISO tribes. SEVEN things I learned in 21 years. Oh, and ONE BONUS THING.

Key takeaway: A treasure trove of advice based on the experience of a pioneer in the field of software security, or "42 things" in short

Only 50% of software security defects are bugs. The other half are flaws in the design. This session builds on work from IEEE, Google, Twitter, Harvard, & others to present the top 10 security flaws along with guidelines to avoid them.

Key takeaway: A security top 10, but not as you know it. In this session, we explore the top 10 design flaws, along with guidelines on avoiding them in your applications.