Ian Peters | Threat modelling and Secure development
Ian has been working in IT Security his entire adult life. After initially working for the British government, he moved to the real world and did security consultancy for companies around the world. He’s now been a nomad (or bum, as his friends call it) for a year, working on assorted projects, both InfoSec and non-InfoSec related.
Whether developing a small website, a client-side application, or a multi-layer cloud solution, IT security is important – get it wrong and not only will your brand be compromised but you may suffer serious financial consequences as well. Having a secure development methodology will not only make it more likely that your product will be secure enough, but it will also likely save you money in the long run. An important part of any secure development methodology is threat modelling – analysing the threats, risks, and impact of loss which apply to your product, and cost-effective mitigations which can be used to reduce these. This workshop will introduce the concept of a Secure Development Lifecycle, including references to the most common implementations. We will then work through threat modelling in more depth, performing some threat modelling of a real-world (non-IT) scenario. If time allows, we will then repeat the exercise for an IT/dev scenario. While primarily aimed at developer themselves, this workshop will be useful for anyone involved in software or system development, including PMs, QA/test, system architects, etc.