SecAppDev 2025 Faculty

Threat modeling by yourself is great - noone is there to tell you you're wrong. But if you want to discover nontrivial issues, the ones you'd not have on your checklist, you'll need to engage with others. But too often we chase them away.

Key takeaway: Threat modeling is not JUST a technical activity, and should intentionally leverage social techniques to maximize stakeholders participation.

Much of security today is generic best practices and checkbox olympics. Shame to waste resources on stuff noone really cares about! Better to map out the business' value streams, and invest efforts in protecting what is actually important.

Key takeaway: Strategic planning requires understanding your environment, your goals, and your challenges. Value-driven mapping techniques help you get there.

The interesting, important, and hard to find bugs are not generic. They often stem from unique business logic, so they require familiarity with the product.

Instead of getting frustrated with generic scans that barely find obvious problems and flood you with false positives, you can run custom checks that find what you care about. In this course, you'll learn how to take your internal knowledge and write custom, tailored scans that will work for you, across the whole codebase.
You’ll leave the course with clear understanding how to customize automated security tests for your code efficiently.

Learning goal: Learn how to find subtle, non-generic bugs in your code, make the most of open-source scanners, and set up smart security guardrails—all with practical techniques that fit into real-world development workflows.