DeepSec 2019 Talk: Lost in (DevOps) Space — Practical Approach for “Lightway” Threat Modeling as a Code — Vitaly Davidoff *

Threat Modeling is a main method to identify potential security weaknesses, and is an important part of any secure design. Threat Modeling provides a model to analyze how to best protect your assets, prevent attacks, harden your systems, and efficiently prioritize security investment. Regardless of programming language, Threat Modeling provides a far greater return than most other security techniques in the software development life cycle (SDLC) process. Therefore, Threat Modeling should be an early priority in application design process. Unfortunately, it is common knowledge that building a full threat model is always heavily resource intensive, requires a full team of expensive security professionals, takes up far too much time, and is not scalable. This talk will describe modern Threat Modeling methodology and practices that can be fully incorporated into your existing agile process. We will discuss how to architect a robust Threat Modeling framework to be part of an Secure SDLC approach.

We asked Vitaly a few more questions about his talk.

Please tell us the top 5 facts about your talk.

Threat Modeling is a very important process, but not aligned with Agile development process and DevOps paradigm. Security specialists do not scale enough and don’t have time to run Threat Modeling exercises for every new feature or…