SecAppDev 2025 lecture details
Continuous Threat Modeling: Let Developers Figure It Out
Continuous Threat Modeling for Developers. They're creating the problems, let them create the solution! No, really - enable them to see the security value of the stories they work on, what could go wrong, and what to do about them.
Monday June 2rd, 14:00 - 15:30
Room West Wing
Abstract
Threat Modeling has customarily been seen as a black art,a bit of an arcane discipline that not many are privy to. And that is, basically, wrong. Everyone threat models, all the time. And they very well should!
In this talk we will look at a couple of traditional Threat Modeling methodologies, what they're good for, what they miss, and offer a new one that your developers can run with - agile and principle-based.
After that we will look at a threat-modeling-with-code tool, OWASP pytm, that can be used to support continuous threat modeling by your teams, see how it helps and what it doesn't do.
Key takeaway
Threat Modeling should not be a one-shot-and-done activity by security experts. It needs to be continuous, at the developer level.
Content level
Deep-dive
Target audience
Security Practitioners, Security Champions, Developers and Managers
Prerequisites
A basic understanding of any OO development language and an interest in security
Join us for SecAppDev. You will not regret it!
Grab your seat now
Izar Tarandach
Sr. Principal Security Architect
Expertise: Threat Modeling, Application Security and Barstool Philosophy
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
Get out of your Bubble: Collaborative Threat Modeling
Deep-dive lecture by Avi Douglen in room Lemaire
Tuesday June 3th, 16:00 - 17:30
Threat modeling by yourself is great - noone is there to tell you you're wrong. But if you want to discover nontrivial issues, the ones you'd not have on your checklist, you'll need to engage with others. But too often we chase them away.
Key takeaway: Threat modeling is not JUST a technical activity, and should intentionally leverage social techniques to maximize stakeholders participation.
Threat Modeling for Intimate Partner Abuse
Introductory lecture by Eva Galperin in room Lemaire
Monday June 2rd, 09:15 - 10:30
Most developers don't think of protection against domestic abusers as part of a product's security and they should.
Key takeaway: The intimate partner abuse threat model is different other models in important and unexpected ways.
My Name Is Not Cassandra: AppSec and "I Told You So"
Advanced lecture by Izar Tarandach in room Lemaire
Wednesday June 4th, 16:00 - 17:15
Lack of authority, an outsider's view of the development process and a faulty language of risk. Are security practitioners fated to point at risk and not be heard?
Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.