Use the OWASP Threat Modeling Playbook to Improve your Product Security presented at AppSecIndonesia2020 2020

by Sebastien Deleersnyder,

Summary : We consider threat modeling a foundational activity to improve your software assurance or product security. We have trained hundreds of experts and consulted with as many clients regarding threat modeling. We found that a well-established threat modeling practice will measurably decrease security issues of delivered products. But performing a threat modeling exercise is one thing. Scaling it up as a standard practice in an organization is another. Threat modeling is often considered a manual and costly activity with an unpredictable outcome. We pulled together our Toreon threat modeling vision and strategy with OWASP best practices (like OWASP SAMM and the AppSec champion playbook) to create a ‘Threat modeling playbook’. The playbook shows you how to turn threat modeling into an established, reliable practice in your development teams and in the larger organization. We released this and an open source OWASP project for everyone to use and improve upon.We encourage you to download and use our playbook. Try it with your own team or on a pilot project. And let us know how it works and how we can improve the playbook.With you, we can create a community to support and continuously improve ‘Threat modeling playbook’. Together, we can make threat modeling more widely available. This in turn will make all of our software more secure.GitHub repository https://github.com/Toreon/threat-model-playbookOWASP project page https://owasp.org/www-project-threat-modeling-playbook/Outline talk Threat modeling  Leveling up – we need a playbook! Get stakeholder buy-in Embed in your organization Training your people Strengthen your processes Innovate with technology Open sourcing our playbook / demo Q&A