Event

Thoughts on Threat Modelling

10/10/2023
KPMG Tauranga Office | 247 Cameron Road - Level 2, Tauranga, Bay of Plenty

Agenda

Summary

As an Application Security Consultant, I’ve had numerous opportunities over the years, to present training and talks on threat modeling. Over the years, my thinking has evolved, and I’ve focused on using threat modeling as a source of an application’s “consequential” security requirements – security features our applications require as a consequence of including a required functional capability.

The approach I teach, promote, and facilitate is based on Adam Shostack’s “Four Questions,” but I’ve expanded and (I think) clarified those questions. In this talk, I’ll address the Five Ws of threat modelling, then present an overview of my “Seven Questions” approach.

To wrap up, I’ll look at how to get a Threat Modelling program started, dealing with legacy systems, and choosing the right threat modelling tool(s) to meet organisational needs.’

Presenter

Dr. John DiLeo is the Auckland-area leader of the OWASP New Zealand Chapter. In his day job, John is a lead Solution Architect at IriusRisk, covering the Asia/Pacific region. Before joining IriusRisk, John led the Application Security Services team at Datacom, providing support and guidance to clients in launching, managing, and maturing their enterprise software assurance programs.

Before turning to full-time roles in security, John was active as a Java enterprise architect and Web application developer. In earlier lives, John has been a full-time professor and had specialised in developing discrete-event simulations of large distributed systems.

John is on the core team for the OWASP Software Assurance Maturity Model (SAMM) Project, leads the OWASP State of AppSec Survey Project, and is a member of the OWASP Education and Training Committee.