Elevator Pitch
Too many agile teams take a “security last” approach, relying on scans and automation to fix known vulnerabilities. Threat Modeling gives teams a shared language and model for security so they can think like an attacker and a tool to build into their schedule to really be “security first”.
Description
Agile and DevOps teaches us to “put security first” and “build in security” but how many teams are actually doing it? We get so focused on delivering value to our customers that we rely on scans and tools to find already known vulnerabilities and are always in a state of catching up - really a “security last” approach. It’s difficult to think like an attacker, we’re already behind - how can we flip this? Threat Modeling gives us a tool we can use to learn to think more like an attacker. It gives us a shared model and terminology so we can communicate about security better. By gamifying it and building it into the team’s schedule we can fix vulnerabilities before they become a threat and have fun doing it. Adding Threat Modeling to our agile team toolkit will not only reduce risk, but help to develop security minded teams who can actually say they “put security first”.
After this talk attendees will be able to: - Describe why “security first” is missing from most agile and DevOps teams - Explain what Threat Modeling is and why it is useful - Understand the differences between the STRIDE, STRIPED, and LINDDUN threat models and know how to use them to create better conversations around security - Use Threat Modeling as a game to think more like an attacker - Introduce Threat Modeling to teams and help them make it a regular team activity
Notes
No special technical requirements - PowerPoint and presentation clicker, or ability to use my own.
I am an agile coach who always looks for new approaches to help teams be their best and deliver the best possible work. As a result I am constantly finding and experimenting with new tools and techniques to improve the software development process and experience. I have always been very security minded and have a Masters in Information Assurance from Regis University, and have always looked for ways to help teams think more about security and really put security first. Threat Modeling is a tool I learned about and was lucky to be able to take a workshop with the creator Adam Shostack. This is a tool that I think is very useful for many teams and can create an easy entry point for helping teams to think more like an attacker, talk about security regularly, have a shared language and approach for looking at security problems, and can be a fun activity that is great to slot into a teams working cadence. This is a tool I think is useful for many people, so any opportunity I have to share it I try to take.
I moved to Tulsa in mid-2022 and have been trying to grow in the local tech community. I moved from the Denver metro area in Colorado where I was (and still am) heavily involved in the agile and devops communities. I am an organizer for the Agile Denver Kanban Community of Practice, recently joined as an organizer with the Techlahoma Tulsa Agile Practitioners, have presented at these meetups, and done a fair amount of internal presenting. I had a CFP accepted to the 2020 Mile High Agile Conference, though was unable to present as this conference was cancelled due to the pandemic. I am looking for opportunities to speak to the community and grow as a professional speaker and IT thought leader and the BSides conference seems like a great match for my skills, interest, and aspirations.