The Need for Threat Modeling in a DevSecOps World
Software Engineering Institute
In a world where the norm is to implement complex, deeply connected solutions with access to huge amounts of data, building code fast is a necessity and automation is key. Acronyms like SAST, DAST, SCA, and SIEM are now common, highlighting how widely regarded automated security testing is for adding security to any solution. Threat modeling is a recognized family of methodologies that provide a structured approach to analyzing the security of an application, therefore it is only natural to try to make it an integral part of DevSecOps. Unfortunately, this has proven to be very tricky, because automation tends to work by abstractions and miss the specifics of your solution. This presentation will discuss the role of threat modeling in DevSecOps, how you can adopt it effectively, and how you can make use of currently available tools.
This presentation by Simone Curzi of Microsoft Consulting Services was given virtually at DevSecOps Days DC 2020 on October 1, 2020. Simone Curzi is a Principal Consultant at Microsoft Consulting Services. Simone has more than 20 years’ experience covering various technical roles in Microsoft Services, and has fully devoted himself to Security for more than 5 years. A renowned Threat Modeling and Microsoft Security Development Lifecycle (SDL) expert, Simone is also one of the leaders of the Worldwide Microsoft Community on Application Security and a subject matter expert for the Security Community.