SecAppDev 2025 lecture details
Continuous Threat Modeling: Let Developers Figure It Out
Continuous Threat Modeling for Developers. They're creating the problems, let them create the solution! No, really - enable them to see the security value of the stories they work on, what could go wrong, and what to do about them.
Monday June 2rd, 14:00 - 15:30
Room West Wing
Abstract
Threat Modeling has customarily been seen as a black art,a bit of an arcane discipline that not many are privy to.And that is,basically,wrong.Everyone threat models, all the time. And they very well should!
In this talk we will look at a couple of traditional Threat Modeling methodologies, what they're good for, what they miss, and offer a new one that your developers can run with - agile and principle-based. After that we will look at a threat-modeling-with-code tool, OWASP pytm, that can be used to support continuous threat modeling by your teams, see how it helps and what it doesn't do.
Key takeaway
Threat Modeling should not be a one-shot-and-done activity by security experts. It needs to be continuous, at the developer level.
Content level
Deep-dive
Target audience
Security Practitioners, Security Champions, Developers and Managers
Prerequisites
A basic understanding of any OO development language and an interest in security
Join us for SecAppDev. You will not regret it!
Grab your seat now
Izar Tarandach
Sr. Principal Security Architect
Expertise: Threat Modeling, Application Security and Barstool Philosophy
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
Get out of your Bubble: Collaborative Threat Modeling
Deep-dive lecture by Avi Douglen in room Lemaire
Tuesday June 3th, 16:00 - 17:30
Threat modeling by yourself is great - noone is there to tell you you're wrong. But if you want to discover nontrivial issues, the ones you'd not have on your checklist, you'll need to engage with others. But too often we chase them away.
Key takeaway: Threat modeling is not JUST a technical activity, and should intentionally leverage social techniques to maximize stakeholders participation.
My Name Is Not Cassandra: AppSec and "I Told You So"
Advanced lecture by Izar Tarandach in room Lemaire
Wednesday June 4th, 16:00 - 17:15
Lack of authority, an outsider's view of the development process and a faulty language of risk..Are security practitioners fated to point at risk and not be heard?
Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.
Navigating the Security Landscape of Modern AI
Deep-dive lecture by Vera Rimmer in room West Wing
Wednesday June 4th, 11:00 - 12:30
In this session, we will overview the general security landscape of AI technologies, including foundational machine learning, deep learning, and large language models.
Key takeaway: Integrating AI inevitably increases the threat landscape of a system. Understanding how AI can be exploited is key to developing effective mitigations