By: Altaz Valani, Research Director, Security Compass
At the IEEE Cybersecurity Development Conference in Cambridge, Mass on October 2nd, I will deliver my presentation “Rethinking Secure DevOps Threat Modeling: The Need for a Dual Velocity Approach” to an audience of cyber professionals.
My presentation will discuss how business models compete on achieving speed of delivery to end customers. To support this, development teams emphasize automation and Secure DevOps as key enablers. The challenge is maintaining speed to support the business needs when security activities like threat modeling require highly skilled individuals and detail analysis. Conducting threat modeling on a per application basis each time is too slow. We have challenges with initially creating data flow diagrams. Furthermore, application changes can happen several times a day which makes continual creation of data flow diagrams too cumbersome.
To register to attend my presentation at the IEEE Cybersecurity Development Conference click here.
As part of my presentation, I will illustrate how the creation of a correlation matrix that integrates common lists with application abstractions can solve this. The result is an additional lightweight threat modeling approach which is quicker and addresses many use cases where a detailed modeling approach is not necessary. This dual velocity approach lends itself better to scalable automation and traceability in Secure DevOps.
To learn more about Tactical Threat Modeling be sure to download SAFECode’s “Tactical Threat Modeling” whitepaper which can be downloaded here. The whitepaper provides guidance about threat modeling as well as the basic framework for conducting a successful threat-modeling effort.