Izar Tarandach

Threat Model Every Story – developers are architects too

The good old days of waterfall! You had “The One Design To Bind Them All” and once it got all agreed, the developers would happily implement it “per spec”. But alas, we are not there anymore. Agile methodologies basically guarantee that the deployed system will change, and change fast, since inception. Design emerges as it develops. How do we cope with that in Threat Modeling? This talk explores moving to a team-based collaborative and continuous Threat Modeling methodology, and how the dialog has moved the dependency away from security SMEs and into the team.

PyTM, an Open Source lightweight threat-modeling-as-code support system is also presented.
(although Agile and waterfall are mentioned, this is a methodology-agnostic talk)


Izar Tarandach is Lead Product Security Architect at Autodesk inc.. Prior, he was the Security Architect for Enterprise Hybrid Cloud at Dell EMC, for long before a Security Consultant at the EMC Product Security Office. With more years than he’s willing to
admit to in the information security arena, he is a core contributor to the SAFECode training effort and a founding contributor to the IEEE Center for Security Design. He holds a masters degree in Computer Science/Security from Boston University and has served
as an instructor in Digital Forensics at Boston University and in Secure Development at the University of Oregon.

Become a Source Insider

Get promotions and special offers directly to your inbox.