Software Engineering Institute

Many threat modeling approaches exist with new techniques and tools emerging to perform the same activity for different scenarios. However, methodologies like DevSecOps pose a huge challenge for threat modelers, in incorporating the demands of different teams, including scaling and quality issues, and to successfully demonstrate its business value. This requires moving away from traditional practices to fit DevSecOps needs. After an elaborative study, we introduce a Maturity Model for Threat Modeling, focusing on how the model can be integrated with the enterprise. You will witness threat modeling as a central tool for security risk management, how various functions in the enterprise can be involved to address risk, and finally preparing organizations to experience the right outcome for recommended tool categories at every maturity level.

Panelists in this session included

• Hasan Yasar, CMU Software Engineering Institute, Technical Director, Continuous Deployment of Capability
• Simone Curzi, Microsoft Services, Principal Consultant
• Arun Prabhakar, Security Compass, Senior Consultant, DevSecOps
• Altaz Valani, Security Compass, Director, Insights Research
• Lotfi ben Othmane, Iowa State University, Assistant Teaching Professor