Overview
Explore value-driven threat modeling techniques to efficiently embed secure design into product development from the start. Learn how development teams can protect applications and business value without extensive resources or time investment. Discover an agile approach to threat modeling that integrates with existing development cycles, minimizing risk and lowering security costs. Walk through example scenarios, understand how to incorporate this methodology into agile processes, and see how security professionals can productively participate in development by leveraging developers' habits. Gain insights from Avi Douglen, a seasoned software security consultant, as he presents at AppSecUSA 2018, covering topics such as STRIDE, attack trees, PASTA, and the OWASP Juice Shop project.
Syllabus
Intro
Summary
About Me
Classic Methodologies
STRIDE Per-Element
Attack Trees
P.A.S.T.A
Documentation?
Back to Basics
Reframing TM
Scope
For each feature: Find the value
Workflow
OWASP Juice Shop
Definition of Done
Acceptance Criteria
Security Unit Tests
Abuser Stories
Updated User Story Format
Threat Pyramid
Story Points Relative estimate of effort
Communication
Benefits over Classic TM
Limitations
Taught by
OWASP Foundation