Threat Modeling Unleashed

Shaun Mckeag - Behind Application Security

Today we are joined by Altaz Valani from Security Compass and Shaun Mckeag, Principal Software Engineer at Gen Digital [https://www.linkedin.com/in/shaunmckeag/], to talk about her personal journey in software development and security. Many listeners are either trying to get into secure software development, or have graduated from a program that teaches security and software development, or perhaps recently transitioned from a different role. It’s nice to have someone with years of experience in the field to give some perspective, guidance, tips, and encouragement. Listen in as Shaun shares her personal journey that will  inspire and help those of us who are newer to the secure software space.   Useful links from this podcast: * https://www.linkedin.com/in/shaunmckeag/ [https://www.linkedin.com/in/shaunmckeag/] * https://nakedsecurity.sophos.com/podcast/ [https://nakedsecurity.sophos.com/podcast/] * https://www.sans.org/blog/ [https://www.sans.org/blog/] * https://www.devseccon.com/the-secure-developer-podcast [https://www.devseccon.com/the-secure-developer-podcast] * https://darknetdiaries.com/ [https://darknetdiaries.com/] * https://owasp.org/events/#AppSec%20Days [https://owasp.org/events/#AppSec%20Days] * https://devcon.org/ [https://devcon.org/] * https://www.blackhat.com/ [https://www.blackhat.com/]

Pranshu Bajpai - Use Training to Influence Your Developers With Embracing Security

Today we are joined by Altaz Valani from Security Compass and Pranshu Bajpai, Security Architect at Motorola Solutions [https://www.linkedin.com/in/pranshubajpai/], to talk about the use of application security training to influence developers toward embracing security. Many developers are eager to learn about security but they need help. Developers move very fast because their performance is often measured around release frequency. All of this is happening while developers have to keep up with continually evolving frameworks and tools. It is possible for security teams to influence developers without getting in their way.

Simone Curzi - Developer Centric Threat Modeling

Today we are joined by Altaz Valani from Security Compass and Simone Curzi, Principal Consultant at Microsoft [https://www.linkedin.com/in/simone-curzi-a357b334/], to talk about the role of developers within threat modeling. When we mention threat modeling, what often comes to mind are data flow diagrams created during a security design process. After these diagrams are created and eventually hit the developer backlog, we discover more insights that further evolve the security design. In this way, developers are crucial to an evolving threat model activity. Yet, many questions exist. We try to answer some of those developer questions related to threat modeling. Useful links from this podcast: * https://simoneonsecurity.com/ [https://simoneonsecurity.com/] * https://threatsmanager.com/ [https://threatsmanager.com/]  * https://www.threatmodelingmanifesto.org/ [https://www.threatmodelingmanifesto.org/]  * https://cve.mitre.org/ [https://cve.mitre.org/] * https://cwe.mitre.org/ [https://cwe.mitre.org/]

Jason Keirstead - Standardizing on Security Tool Integrations

Today we are joined by Altaz Valani from Security Compass and Jason Keirstead, Distinguished Engineer & Chief Technical Officer of Threat Management at IBM [https://www.linkedin.com/in/jasonkeirstead/] as well as Co-Chair of Open Cybersecurity Alliance. Security tool integrations are largely custom efforts today. That investment alone prevents loose coupling of our security tool architectures and timely delivery of security insights to key decision makers. Jason shares his insights on the work going on at Open Cybersecurity Alliance (OCA) to help solve this problem. The holy grail of an integrated security fabric that shares information across a toolchain can transform our ability to rapidly adapt to a changing threat landscape and allow for early detection of threat actor behavior. Jason shares his vision of how everyone can play a part in making this a reality, from customer procurement to vendor adoption of security standards.

Vaibhav Garg - Developer Centric Threat Modeling

Today we are joined by Vaibhav Garg, Executive Director, Cybersecurity & Privacy Research and Public Policy at Comcast [https://www.linkedin.com/in/gargvaibhav/], to talk about developer-centric threat modeling. We start by looking at ways to make threat modeling more appealing to developers. We discuss how a security team can help developers participate in threat modeling in the midst of continual change with both development and security teams. Ultimately, a threat modeling program is only as effective as the value it offers to a diverse group of stakeholders. We discuss how to measure and align the value of threat modeling across project, program, and executive levels. We conclude with Vaibhav’s thoughts about where he thinks developer-centric threat modeling is heading over the next 12 to 18 months.