Loading…
Security BSides London, the UK’s biggest community-driven infosec conference is happy to announce its 8th iteration open to all regardless of background, skill level, income or job-title.  
  • Doors to the main event open at 8.30am with talks starting at 9am on 5 June 2019
  • Workshops will be held on 4 June 2018 starting at 10am; Pre-registration is required
Please remember that Security BSides London has a strict code of conduct available here
Tuesday, June 4 • 12:15 - 16:15
Incremental Threat Modelling - how to fit threat modelling into a fast lifecycle

Sign up or log in to save this to your schedule and see who's attending!

The earlier in the lifecycle you pay attention to security, the better are the outcomes. Threat modelling is one of the best techniques for improving the security of your software. It is a structured method for identifying weaknesses on design level. However, people who want to introduce it into their work on existing codebase often face time pressure and very rarely can a company afford “security push”, where all new development stops for a while in order to focus on security. Incremental threat modelling that concentrates on current additions and modifications can be time-boxed to fit the tightest of agile life-cycles and still deliver security benefits. Full disclosure is necessary at this point – threat modelling is not the same as adding tests to the ball of mud codebase and eventually getting decent test coverage. You will not be able to get away with doing just incremental modelling, without tackling the whole picture at some point. But the good news are you will approach this point with more mature skills from getting the practice, and you will get a better overall model with less time spent than if you tried to build it upfront. We will cover the technique of incremental threat modelling, and then the workshop will split into several teams, each one modelling an addition of a new feature to a realistic architecture. NB: At least one example will be about machine learning. The participants will learn how to find the threats relevant to the feature while keeping the activity focused (i.e. not trying to boil an ocean). This session targets mainly blue teamers, as well as software developers, qa engineers, and architects; but will be also beneficial for scrum masters and product owners.

Speakers
avatar for Nick Dunn

Nick Dunn

Nick Dunn is a security consultant and an occasional developer of hacking tools and scripts. After several years working as a secure software developer, he found out that breaking things could be more fun than building them and became a penetration tester, at which point he discovered... Read More →
avatar for Irene Michlin

Irene Michlin

Irene Michlin is a security consultant at IBM, where she leads Application Security practice in European centre of competency. Before going into application security consultancy, Irene worked as software engineer, architect, and technical lead at companies ranging from startups... Read More →


Tuesday June 4, 2019 12:15 - 16:15
Track 4 ILEC Conference Centre 47 Lillie Road London SW6 1UD

Twitter Feed