Continuous Security: Leverage Incremental Threat Modeling

How to introduce threat modeling to your existing codebase without slowing everything else down (aka the expensive “security push”)? 

Incremental threat modeling might be the answer. Incremental threat modeling concentrates on current additions and modifications that can be time-boxed to fit the tightest of agile lifecycles and still deliver security benefits. 

In this hands-on workshop, you’ll:

• Learn the technique of incremental threat modeling
• Practice modeling an addition of a new feature to a realistic architecture 
• Find threats relevant to the feature while keeping the activity focused (i.e. not trying to boil an ocean)

Who is this session for? 
This session targets mainly blue teamers, as well as software developers, QA engineers, and architects; but will also be beneficial for scrum masters and product owners

About the workshop leader
Irene Michlin is the Application Security Lead at Neo4j with 15+ years of hands-on cyber security experience in technical positions, distributed teams and project management. She is also a co-author of the Threat Modeling Manifesto. 

Full disclosure
Threat modeling is not the same as adding tests to the ball of mud codebase and eventually getting decent test coverage. You won’t be able to get away with doing just incremental modeling without tackling the whole picture at some point. But here’s the good news: By that time you can approach the big picture with more mature skills and get a better overall model with less time spent than if you had tried to build it upfront.