Threat Modelling: From None to Done

John DiLeo (Datacom)

This session offers participants an interactive introduction to Threat Modelling, as a process for identifying consequential (“Yes, and…”) security requirements in software systems. By introducing threat modelling activities into your organisation’s software development processes, you will improve the overall quality and security of the applications you build and maintain.

After addressing key questions around the “Five Ws,” the presentation will cover the instructor’s “Seven Questions” approach to developing a model (an expansion of Adam Shostack’s “Four Questions”), and include several interactive exercises.

We’ll present an overview of Incremental Threat Modelling as an approach to building threat models for existing/legacy systems. A brief review of available modelling tools will also be included, along with a discussion of the opportunities and challenges for introducing Threat Modelling into your SDLC.

Learnings

  • Motivations for, and benefits of, including Threat Modelling as part of BAU development practices
  • A scalable, easy-to-manage methodology for performing threat modelling
  • An approach to getting started on modelling for existing/legacy systems

Attend the Training

Tickets are on Eventbrite.

About John

Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter, and chairs the annual OWASP New Zealand Day conference. He’s a Principal Consultant on Datacom New Zealand’s Application Security Services team, providing support and guidance to clients in launching, managing, and maturing their enterprise software assurance programs.

Before turning to full-time roles in application security, John was active as a Java enterprise architect, Web application developer, and university lecturer. In an earlier life, John had specialised in developing discrete-event simulations of distributed systems.

John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, and is active on the OWASP Education and Training Committee.