You care about security, but common secure Software Development Life Cycle (SDLC) practices such as traditional threat modeling and secure requirements analysis seem to be geared towards Waterfall development. What can you do? In this session we will explain the concept of Threat Modeling Express and model one of the audience member's actual applications, live, together. Threat Modeling Express is a two hour activity you do once a quarter that helps you put the right security requirements in your backlog (or other ticket/story/requirements management repository). It's extremely lightweight: you need a developer (yourself), somebody with security knowledge (possibly another developer), and somebody who represents business priorities (a product owner?). Together in a room you hash out the most common user stories/use cases, possible malicious intents, technical means to achieve those intents, group risk rating, and adding countermeasures to your backlog. At the end of the session you have group buy-in on the security risks you care about and how important they are relative to everything else. This is as lightweight as application security gets: attend if the words "lightweight" and "security" both appeal to you. Threat Modeling Express is an alternative to more rigorous / comprehensive design-level security activities such as threat risk assessments, traditional threat modeling, and architectural risk analysis.Threat Modeling Express sacrifices rigor in favor of speed. Threat Modeling Express is a process defined by Security Compass (an application security consultancy), but is really just describes a set of techniques that companies have been practicing informally for years. It's not proprietary and you can do it on your own without any third party assistance if you have the necessary domain expertise in-house. The speaker is one of the people who coined the term and has taught and used Threat Modeling Express at several large companies primarily in the financial services and utilities industries. NOTE: Although the speaker's personal agile experience is with Scrum, the process works equally well in other agile environments. More information about Threat Modeling Express: * http://www.infoq.com/articles/threat-modeling-express * https://msevents.microsoft.com/CUI/EventDetail.aspx?culture=en-US&EventID=1032476372&CountryCode=US%20ForceRecrawl:%200
http://submit2012.agilealliance.org/files/session_pdfs/Threat Model Express_Agile 2012.pdf
