Threat Modeling: A New Strategy That Can Scale
Panel Weighs in on Overcoming Cultural Barriers to Achieve Business BenefitsThe cultural divide between application security and developer teams is well known. But threat modeling offers a new strategy to bring these teams together and achieve business benefits. Panelists from ServiceNow and IriusRisk discuss the road map.
Participating in this discussion are: Steve Springett, senior manager - product security, ServiceNow; Stephen De Vries, co-founder and chief executive officer, IriusRisk; and Adam Shostack, president, Shostack and Associates.
In this video interview with Information Security Media Group, the panel discusses:
- ServiceNow's threat modeling journey;
- Business benefits achieved through collaboration;
- The future of threat modeling for applications.
Springett educates teams on the strategy and specifics of developing secure software. He practices security at every stage of the development life cycle by leading sessions on threat modeling, secure architecture and design, static/dynamic/component analysis, offensive research, and defensive programming techniques.
De Vries started his career as a C, C++ and Java developer before moving into software security. He’s an active contributor to a number of OWASP projects and has helped FTSE 100 companies to build security into their development processes through threat modeling and integrated security testing.
Shostack is a leading expert on threat modeling and has been on IriusRisk’s technical advisory board since its inception. He currently helps organizations improve their security via Shostack and Associates and offers industry-leading threat modeling training. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Shostack is the author of "Threat Modeling: Designing for Security" and the co-author of "The New School of Information Security."
IriusRisk is the industry's leading threat modeling and secure design solution in application security. With enterprise clients including Fortune 500 banks, payments, and technology providers, it empowers security and development teams to ensure applications have security built in from the start - using its powerful threat modeling platform.