Traditionally Security is usually an after-thought where after a site or an application is developed we have the Enterprise InfoSec team do a penetration test. This is clearly waterfallish and difficult. Not only does it increase conflict and slow delivery, but also degraded experience for our users.
This session is about moving product security and quality considerations closer to the development team so that potential issues are avoided or resolved sooner, even before code is committed. This involves intervention on many fronts : People, Process, Knowledge, Tools (and integrations of tools).
The second part of the conversation is around Agile methods of Threat Modelling. a pragmatic review of the shortcomings and implementation challenges inherent in the classical threat modeling methodologies. The founding principle is that, in order to be effective, threat modeling must scale across the infrastructure and entire Product management, Design and Engineering portfolios, integrate seamlessly into an Agile environment and provide actionable, accurate, and consistent outputs for the entire product team (developers, security teams, and senior executives alike). We will go through briefly on a hypo on Agile model of Threat Modelling.