Iterative Threat Modelling - Security in Agile Development

Explore iterative threat modeling techniques for enhancing security in agile development processes in this conference talk from Conf42 DevSecOps 2023. Gain insights into common misconceptions about threat modeling, learn how to apply agile principles to security practices, and understand the STRIDE methodology for identifying potential threats. Discover practical examples using the OWASP Juice Shop project, covering key steps such as defining security objectives, scoping, creating data flow diagrams, and prioritizing risks. Delve into mitigation strategies, reflection techniques, and various workshop formats for implementing threat modeling in your software development lifecycle. Walk away with valuable takeaways and resources to further your knowledge in this critical aspect of DevSecOps.

intro
about jags
expectations
threat modelling
misconceptions about tm
agile threat modelling
owasp juice shop
before starting...
example: security objective
what do we want to accomplish? - scoping
example: scoping
what are we building? software-centric approach
example: data flow diagram
what can go wrong? - evil brainstorming
methodology. No 'best' way
spoofed identity
tampering with input
repudiation of action
information disclosure
denial of service
elevation of privilege
example: applying stride
what are we going to do about it? - prioritize
example: prioritize
mitigation
example: mitigation
did we do a good job? - reflect...
iterative threat modelling ...and repeat
ways of running the workshop
learn more
threat modelling in software development lifecycle
what was the mnemonic again?!?!
takeaways