DeepSec 2020 Talk: Old Pareto had a Chart: How to achieve 80% of Threat Modelling Benefits with 20% of the Efforts – Irene Michlin
The earlier in the lifecycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. However, it is often perceived by the organisations as too expensive to introduce, or too slow to fit modern lifecycles, be it Agile, Lean, or DevOps.
This talk will show how to fit threat modelling in fast-paced software development, without requiring every developer to become an expert. The outcomes should be immediately applicable, hopefully empowering you to try it at work the day after the conference.
We asked Irene a few more questions about his talk.
Please tell us the top 5 facts about your talk.
- Based on my experience introducing threat modeling in software development organisations
- Real life examples
- Caters to both experienced security professionals and novice practitioners
- You will come out of it with actionable ideas, whether you are a developer, or security engineer
- 80/20 may not be the answer to life, universe, and everything, but it’s pretty close. Adopting this approach really helps with lots of things in secure development.
How did you come up with it? Was there something like an initial spark that set your mind on creating this talk?
I can see teams struggling to fit threat modelling into their day to day work, even if they know it’s important. Just want to spread the joy – it can be fun, and easy to pick up, and you are probably already doing a lot in that direction.
Why do you think this is an important topic?
Threat modelling can catch issues that other methods in your SDLC won’t. And it will catch them early, saving you a lot of pain. Threat modelling ability is one of the stepping stones towards DevSecOps.
Is there something you want everybody to know – some good advice for our readers maybe?
Threat modelling is not just for security professionals but everyone in design and engineering.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your talk in particular?
Security will become even more mainstream in software development. No professional (developer, QA engineer, DevOps, whatever your title) will be able to say, “Security is not part of my job”.
Irene Michlin is a security consultant at IBM. Before going into application security consultancy, Irene worked as software engineer, architect, and technical lead at companies ranging from startups to corporate giants. Her professional interests include securing development life-cycles and architectures.