Threat Modeling Wins for Agile AppSec
June 2021 • Presentation
This talk by Rahul Raghavan, AppSec Advocate, we45, was presented at DevSecOps Days Pittsburgh 2021.
Software Engineering Institute
"There are two ways of constructing a software design. One way is to make it so simple that there are obviously no deficiencies. And the other way is to make it so complicated that there are no obvious deficiencies" - CAR Hoare
Threat modeling has long been a 'design level' activity that fits in right at the beginning of a well-defined application security strategy, and rightfully so. However, the current speed and scale of product and security engineering has forced software teams to overlook this very critical element of software security...and rightfully so!
In this talk, I delve into the world of application threat modeling, expanding and demystifying the chatter that product teams have been exposed to, expanding on some of the cause and effects of threat modeling not seeing its rightful place in agile product engineering. The presentation will also introduce the audience to two schools of thought -- component-driven threat modeling and offense (abuser case) driven threat modeling, with their unique set of use cases and applicability.
The talk will culminate in introducing the ThreatPlayBook - the open-source, community-driven threat-modeling-as-code fabric.
Takeaways from the talk include:
- The context of threat modeling in the current state of product engineering
- The problem with threat modeling today
- A compare and contrast of component-driven and offense-driven threat modeling
- Threat modeling as a route to better test case design and automation
- Threat modeling as code using ThreatPlayBook
The sheer pervasiveness of applications, their associated software engineering process and therefore the variance of application security quotient across software teams is what drives Rahul's primary role as an AppSec Advocate at we45.
Having worked on both the building and breaking sides of product engineering, Rahul appreciates both the constraints and the opportunities of imbibing security within the software lifecycle. This understanding created a natural segue for we45’s custom security solution engineering and enhanced AppSec service delivery models for its global customers.
As an active DevSecOps Marketer, Rahul works closely with the offices of CTOs and CIOs in the setting up of cross-functional skill-building and collaboration models between engineering, QA, and security teams to build and manage software security maturity frameworks.
Rahul is a Certified Information Systems Auditor (CISA) and is a regular speaker at global conferences, seminars, and meetup groups on the following topic areas:
- Application Security Automation and DevSecOps
- AppSec Tooling
- Threat Modeling in Agile Engineering
- QA: Security Mapping
- Automation ROI Modelling
- AWS Security
- Secure Software Maturity Models