SecAppDev 2025 lecture details
Get out of your Bubble: Collaborative Threat Modeling
Threat modeling by yourself is great - noone is there to tell you you're wrong. But if you want to discover nontrivial issues, the ones you'd not have on your checklist, you'll need to engage with others. But too often we chase them away.
Tuesday June 3th, 16:00 - 17:30
Room Lemaire
Abstract
One of the biggest traps when threat modeling is falling down a rabbit hole of technical details, without examining your assumptions. This creates an inaccurate model of the system, misguided threats, and inefficient use of threat modeling time. Even worse, it leads to unengaged stakeholders, lack of interest in the results, and an activity that is not seen as valuable.
In this talk we will look at ways to make the activity more social and lightweight, encouraging your teammates to contribute information, validate your assumptions, and produce actionable results for a more valuable activity.
Key takeaway
Threat modeling is not JUST a technical activity, and should intentionally leverage social techniques to maximize stakeholders participation.
Content level
Deep-dive
Target audience
Security Practitioners, Security Champions, Developers and Managers
Prerequisites
A basic understanding of modern software development (any language), and security fundamentals.
Join us for SecAppDev. You will not regret it!
Grab your seat now
Avi Douglen
CEO and Application Security Specialist, OWASP Board of Directors, Bounce Security & OWASP
Expertise: Product security, Threat modeling, value driven strategy, and tigger-themed Dad jokes
Join us for SecAppDev. You will not regret it!
Grab your seat nowRelated lectures
Continuous Threat Modeling: Let Developers Figure It Out
Deep-dive lecture by Izar Tarandach in room West Wing
Monday June 2rd, 14:00 - 15:30
Continuous Threat Modeling for Developers. They're creating the problems, let them create the solution! No, really - enable them to see the security value of the stories they work on, what could go wrong, and what to do about them.
Key takeaway: Threat Modeling should not be a one-shot-and-done activity by security experts. It needs to be continuous, at the developer level.
My Name Is Not Cassandra: AppSec and "I Told You So"
Advanced lecture by Izar Tarandach in room Lemaire
Wednesday June 4th, 16:00 - 17:15
Lack of authority, an outsider's view of the development process and a faulty language of risk..Are security practitioners fated to point at risk and not be heard?
Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.
Navigating the Security Landscape of Modern AI
Deep-dive lecture by Vera Rimmer in room West Wing
Wednesday June 4th, 11:00 - 12:30
In this session, we will overview the general security landscape of AI technologies, including foundational machine learning, deep learning, and large language models.
Key takeaway: Integrating AI inevitably increases the threat landscape of a system. Understanding how AI can be exploited is key to developing effective mitigations