Threat Modeling Selling The Idea

When and where

The page documents the outcome of a 2 hour working session held in London in February 2018. Details available here:

Selling Threat Modeling

We put together ideas for a brief 3 slide presentation aimed at a selling the idea of threat modelling to a product owner.

Example presentation

A draft presentation has been created to illustrate what the below content might look like in a deck. It is basic and was created using the features of Google Slides, so a proper version would need much more work. Ideally with the help of a graphic designer.

The presentation is available as PowerPoint and PDF.

General/rough notes for the session

Getting developer buy-in

“haven’t got time”

  • get to break stuff
  • take a feature and put everything out of scope
  • start small - a few key people, one team to test it
  • non-judgemental
  • use what you’re comfortable
  • business owns the outcome (e.g. documenting threats)
  • security facilitates
  • security champions
  • sell to the product owner
  • advocates at the bottom, buy-in from the top
  • threat modelling running sytems vs SDLC
  • what’s the benefit - engineer, product owner, risk
  • what to do when issus identified? Blame? Panic?…. - culture
  • legacy system - we don’t care :(
  • priority. tm can help prioritize the risk?
  • can TM “enable” agile/devops?
  • Get buy from the top? (optional)
  • Identify a small, friendly dev team

Who is the target audience?

Product Owner

Persona attributes:

  • Non-technical
  • Busy
  • Cares and takes pride in their work and deliverables
  • May have regulation concerns
  • Fear of the unknown
  • Doesn’t want additional work
  • Full-stack-responsibility - They care from design to operations

Slide 1 - The problem statement

  • Don’t know / can’t measure / uninformed about the risks associated with the platform
  • Unknown costs of remediation, regulatory fines, brand damage
  • Return on Investment is incomplete
  • Cost of fixing issues gets higher as you get closer to production
  • A pentest finding an issue in pre-production could push back releases by weeks
  • You might not be putting security where it’s needed - wasted effort, false sense of security

Slide 1 - Alternative

  • Would you like to know that your ROI calculations are well constructed?
  • Would you like to make informed risk decisions?
  • Would you like to deliver agreed scope more quickly?

Slide 2 - How does threat modeling solve this?

  • Comparison to Penetration Testing (how do they compliment, where in lifecycle)
  • Identify and quantify threats
  • Make informed decisions through discussion
  • Prioritisation
  • Risk equation
  • Get documentation for free
  • Threat modeling isn’t the only solution, not the complete picture

Slide 3 - Next steps

  • Training for develops, security to facilitate and mentor
  • start small - a friendly willing team, a few key people, one team to test it
  • take a feature and put everything out of scope
  • blameless culture
  • use what you’re comfortable
  • business owns the outcome (e.g. documenting threats)

Back to list of all Working Sessions and Tracks

Edit this page here