This session offers participants an interactive introduction to Threat Modelling, as a process for identifying consequential ("Yes, and...") security requirements in software systems. By introducing threat modelling activities into your organisation's software development processes, you will improve the overall quality and security of the applications you build and maintain.
After addressing key questions around the "Five Ws," the presentation will cover the instructor's "Seven Questions" approach to developing a model (an expansion of Adam Shostack's "Four Questions"), and include several interactive exercises.
We'll present an overview of Incremental Threat Modelling as an approach to building threat models for existing/legacy systems. A brief review of available modelling tools will also be included, along with a discussion of the opportunities and challenges for introducing Threat Modelling into your SDLC.