DeepSec 2020 Training: Threat Modelling: The Ultimate “Shift Left” – Irene Michlin & Kreshnik Rexha
The earlier in the life-cycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. The participants will learn the technique and gain practical skills through exercises.
The curriculum of the training consists of :
- Threat modelling: introduction and motivation
- Data Flow Diagrams
- STRIDE
- Beyond STRIDE
- Prioritization
- Mitigations
- Integrating threat modelling in SDLC
This training targets mainly blue teamers, as well as software developers, QA engineers, and architects; but will be also beneficial for scrum masters and product owners.
We asked Irene and Kreshnik a few more questions about their training.
Please tell us the top 5 facts about your training.
- Lots of hands-on exercises and group work
- Based on trainings we do for clients and shorter conference workshops
- You won’t need a laptop
- Caters to both experienced security professionals and novice practitioners
- A thorough mix of different techniques, strategies and practical work to allow threat modelling to fit in any organisation regardless of the maturity state.
How did you come up with it? Was there something like an initial spark that set your mind on creating this training?
Yes! Someone mentioned that learning and doing threat modelling is tedious and lots of work. And I thought – no way! It can be fun and easy to pick up, let’s spread the joy.
Why do you think this is an important topic?
- Threat modelling can catch issues that other methods in your SDLC won’t. And it will catch them early, saving you a lot of pain.
- Threat modelling in our method provides rare occasions where business, engineering, architecture and security work together towards a unified security view of what is being developed.
- Threat modelling ability is one of the stepping stones towards DevSecOps.
Is there something you want everybody to know – some good advice for our readers maybe?
Threat modelling is not just for security professionals but everyone in design and engineering. We have had very positive experience where engineers own threat modelling activities. After all, security issues are just engineering bugs.
A prediction for the future – what do you think will be the next innovations or future downfalls when it comes to your field of expertise / the topic of your training in particular?
Security will become even more mainstream in software development. No professional (developer, QA engineer, DevOps, whatever your title) will be able to say, “Security is not part of my job”.
Irene Michlin is a security consultant at IBM. Before going into application security consultancy, Irene worked as software engineer, architect, and technical lead at companies ranging from startups to corporate giants. Her professional interests include securing development life-cycles and architectures.
Kreshnik Rexha is a consultant security architect at IBM Security. Before joining the consultancy practice Kreshnik has worked in multiple roles in industry including software development, infrastructure engineering, architecture and risk & compliance mainly in large enterprises in the financial sector. He has also spend a considerable part of his career teaching security in various UK educational institutions. Kreshnik’s professional interests are DevSecOps and Key /Secret Management.