Myths of Threat Modeling - AppSec California

Debunk common misconceptions about threat modeling in this 55-minute conference talk from AppSec California 2016. Explore six prevalent myths that may be hindering the implementation of this crucial secure design activity. Learn how to initiate threat modeling easily and effectively as Jim DelGrosso and Brook Schoenfield provide factual information to dispel industry-accepted misinformation. Gain insights into topics such as the relationship between penetration testing and threat modeling, the ideal timing for threat modeling, and the misconception that security expertise is required. Discover practical approaches to start with simple threat models, avoid common engineering pitfalls, and develop threat modeling as a teachable skill. Examine the differences between threat modeling and static analysis, and understand its role in authentication and continuous integration processes. Leave with a clearer understanding of threat modeling's importance and the confidence to implement it in your secure design practices.

Intro
Overview
We already do pen tests
I dont want a threat model
Its too late
We already did the threat model
Start with something simple
Avoid falling into the classic engineers trap
Its a teachable skill
We dont have security experts
We have never found a flaw
No silver bullets
Threat modeling vs static analysis
Authentication
Continuous Integration