AppSec USA 2016 has ended
Back To Schedule
Thursday, October 13 • 2:15pm - 3:15pm
Threat Modeling with Architectural Risk Patterns

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Current approaches to Threat Modeling emphasise manual analysis typically performed by developers together with a security specialist.  This has a high initial cost, both in terms of time and the skills required to perform it.  Both of those constraints are under pressure as organisations increase the speed and volume of software development.  In enterprise environments there is the additional challenge of scaling this activity across thousands of products with a limited number of software security specialists to guide the process.  Lack of necessary security skills is also a reason that many smaller companies never attempt threat modeling in the first place.
This talk will present a software-centric method of threat modeling that uses risk patterns to increase the speed of creating a threat model and that also introduces a degree of consistency into the process.  We’ll present a series of incremental improvements to the use of risk patterns from a simple checklist based approach to the use of a flexible rules engine.


This method could be implemented by tooling to automatically generate a threat model based on architectural decisions.  The technique employs principals from Object Oriented software design such as inheritance and method overloading so that the contents of the patterns can be practically maintained and extended without unnecessary repetition.  Organisations can use this method to extract the expertise from their software security experts so that threat modeling knowledge is retained and can be re-used within the organisation.

avatar for Stephen de Vries

Stephen de Vries

Founder, CEO, Continuum Security SL
Stephen is the founder of Continuum Security and focussed on building AppSec tools to support security in the SDLC, including the IriusRisk threat modeling tool and BDD-Security open source security testing framework. His background is in software development and security testing... Read More →

Thursday October 13, 2016 2:15pm - 3:15pm EDT
Grand South Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001