Overview
There are many complex and unwieldy methodologies for threat modeling. Roadmaps for threat modeling and Agile are non-existent. What you will get from this talk:
- A brief outline of RTMP as a great threat modeling methodology
- How to implement RTMP into an Agile-based development environment"
Outline
- A brief outline of RTMP as a great threat modeling methodology
- It is based on sound, tested and quick steps for regular engineers to assess threats on a proposed software system and provide quick mitigations.
- It is based on the three principles of Consistency in data, Repeatability in steps and Measurability in outcomes. Threat models can be standardized easily and compared/contrasted.
- How to implement RTMP into an Agile-based development environment
- Why Security Champions are key to success
- Where in the strategic business making does this fit
- How to integrate threat model inputs and outputs effectively into a CI/CD
- What actions should be taken at the product/epic level and at the team/story/specification level
Slides
About the speaker
Geoff Hill worked in the past for 5 years on Wall Street as a commodities trader. He created an options pricing program and sold the results daily on the NYC Commodities Exchange. He has also spent 8 years at Microsoft; one framework he created was an Agile-focused SDL process for their customers.
While at Microsoft, Geoff worked on threat model theories with Adam Shostack, the leading threat model specialist in the world. He has worked for Cigital (a specialist security firm, now part of Synopsys) for 2 years and then spent 4 years as a software security architect for Visa Europe. He has been a threat modeling and application security trainer for 10+ years.
Most importantly, he is a co-founder of an Agile-based threat model consultancy and the creator of the cloud-based Tutamen automated threat modeling SaaS product (founder of Tutamantic_Sec).