Back in March 2019 IriusRisk hosted a special ‘threat modeling brunch‘ event during the RSA San Francisco conference in which several luminaries from the world of threat modeling and application security gave talks. A great time was had by all and we now have three of the talks available for public consumption (with two more in editing) which are included below:
Introduction by Stephen De Vries
Keynote by Adam Shostack
Abstract:
“A Seat at the Table”
Threat modeling is not just a fundamental security practice — it can change your security culture. The agile, cloud, and devops have transformed technology, and all too often, left security wondering what our role is in the new world. Effective collaboration requires new skills, new approaches, and a new speed. We’ll look at all three, how security can collaborate, how we can engage before a line of code has been written, and how we can benefit from the directions the world is going. Slides
Talk with Jim Manico
Abstract:
“Application Security: Things are getting better”
Application Security began in the early 60’s where plaintext password storage, no password policy, poor access control and other massive security problems were the norm. This talk with review the history of application security to help illustrate not just how much application security has gotten better, but also how the rate of positive change has been getting better as well. This fun ride through the history of application security is meant to inspire those who work in the industry. We are often looking closely at failure and insecurity, but when we step back and look at our industry historically, we can all see just how much things truly are getting better. Slides
Stephen De Vries:
Stephen is our co-founder and CEO. He started his career as a C, C++ and Java developer, moving into security operations and then software security. He’s an active contributor to a number of OWASP projects and has helped FTSE 100 companies to build security into their development processes through threat modeling and integrated security testing. Stephen enjoys tinkering with renewable, off-grid energy systems and writing code.
Contact twitter: @stephendv
Adam Shostack:
Adam is a consultant, entrepreneur, technologist, author and game designer. He’s a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and advises startups including as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the “Elevation of Privilege” game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.
Contact Twitter: @adamshostack
Contact: Web: https://adam.shostack.org/
Jim Manico:
Jim Manico is the founder of Manicode Security where he trains software developers on secure coding and security engineering. He is also an investor/advisor for Signal Sciences and BitDiscovery. Jim is a frequent speaker on secure software practices, is a member of the JavaOne rockstar speaker and Java Champion community and is the author of “Iron-Clad Java: Building Secure Web Applications” from McGraw-Hill and Oracle Press. Jim also volunteers for the OWASP foundation where he helps build application security standards and other documentation.
Contact: Twitter: @manicode
web: https://manicode.com