Thoughts on Threat Modelling



12:00-12:15Arrivals & Networking
12:15-12:30Welcome and Cyber Security News Update, Jon Edney [CISSP, CEH,CIPT]
12:30-13:30Thoughts on Threat Modelling, John DiLeo, Solution Architect – Asia Pacific, IriusRisk


As an Application Security Consultant, I’ve had numerous opportunities over the years, to present training and talks on threat modeling. Over the years, my thinking has evolved, and I’ve focused on using threat modeling as a source of an application’s “consequential” security requirements – security features our applications require as a consequence of including a required functional capability.

The approach I teach, promote, and facilitate is based on Adam Shostack’s “Four Questions,” but I’ve expanded and (I think) clarified those questions. In this talk, I’ll address the Five Ws of threat modelling, then present an overview of my “Seven Questions” approach.

To wrap up, I’ll look at how to get a Threat Modelling program started, dealing with legacy systems, and choosing the right threat modelling tool(s) to meet organisational needs.’


Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter. In his day job, John is a lead Solution Architect at IriusRisk, covering the Asia/Pacific region. Before joining IriusRisk, John led the Application Security Services team at Datacom, providing support and guidance to clients in launching, managing, and maturing their enterprise software assurance programs.

Before turning to full-time roles in security, John was active as a Java enterprise architect and Web application developer. In earlier lives, John has been a full-time professor and had specialised in developing discrete-event simulations of large distributed systems.

John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, leads the OWASP State of AppSec Survey Project, and is a member of the OWASP Education and Training Committee.