Read the abstract ➤ https://www.conf42.com/DevSecOps_2023_Jagdsh_Chand_iterative_threat_modelling_agile_development Other sessions at this event ➤ https://www.conf42.com/devsecops2023 Join Discord ➤ https://discord.gg/DnyHgrC7jC Chapters 0:00 intro 1:43 about jags 2:25 expectations 2:55 threat modelling 3:49 misconceptions about tm 5:18 agile threat modelling 8:11 owasp juice shop 9:26 before starting... 11:05 example: security objective 12:12 what do we want to accomplish? - scoping 13:10 example: scoping 13:44 what are we building? software-centric approach 14:44 example: data flow diagram 15:45 what can go wrong? - evil brainstorming 16:42 methodology. No 'best' way 17:23 spoofed identity 19:50 tampering with input 20:47 repudiation of action 21:33 information disclosure 22:53 denial of service 23:23 elevation of privilege 24:09 example: applying stride 25:07 what are we going to do about it? - prioritize 26:26 example: prioritize 28:45 mitigation 29:51 example: mitigation 30:41 did we do a good job? - reflect... 31:50 iterative threat modelling ...and repeat 33:44 ways of running the workshop 34:39 learn more 35:26 threat modelling in software development lifecycle 36:34 what was the mnemonic again?!?! 36:44 takeaways