From DevOps to DevSecOps: How Establishing a Threat Modeling Process Can Help You Transition

A presentation at NDC Oslo by Bruno Amaro Almeida

Are you happy with your current Security practices? Is your company moving towards a DevSecOps culture?

Security is a crucial part of Engineering projects but is often disregarded as something to be added later. One reason behind that is the lack of knowledge about practices to enable a transformation. We can no longer rely on Infosec departments to get involved in a later phase and help to improve the system security. It needs to be considered from the get-go by the same people creating and developing the system as a basic element (similar to the infrastructure, CI/CD, etc).

Where can we start? How can security be included in a project day to day?

In this talk we will learn about how establishing a Threat Modelling process can help you move from DevOps towards DevSecOps.

Threat Modelling is a proven and effective process that can be applied to any project and teams of different sizes. It will help you to identify potential threats (blind spots) from an attacker’s point of view and translate those into new items to your backlog.

In addition to the enhanced security, your project will gain better technical documentation and your team becomes more engaged with a better understanding of the big picture and the project business requirements.