Far from green fields - introducing Threat modelling to established teams

The presentation discusses the challenges and solutions in implementing threat modeling in established software development teams, particularly during the COVID-19 pandemic.

• Established software development teams may have difficulty in implementing threat modeling due to their existing processes and lack of security expertise.
• To address this, it is important to provide benefits and scope of threat modeling, as well as point to similar organizations that have successfully implemented it.
• Threat modeling should be integrated into the software development process and not treated as a separate tool.
• Facilitated sessions can help teams overcome challenges in implementing threat modeling, particularly during remote work situations.

The speaker shared a story of a product manager who expressed frustration over their team's lack of findings in their threat modeling sessions. Upon investigation, it was discovered that the team had resorted to a visual code review process via email, which was not effective. Facilitated sessions were then conducted to help the team overcome their challenges.

'Far from green fields - introducing Threat modelling to established teams' takes a look at the unique challenges of introducing Threat Modelling to well established software teams. Microsoft introduced threat modelling as part of the trustworthy computing initiative back in the early 2000s. This was in response to issues they were facing maintaining the trust of their user base in the light of several high profile security issues. Nobody would categorise Microsoft as a startup in 2002 and nobody at Microsoft was suggesting that they stop moving forward with planned features and advancements while they adjusted their practices. Why is it so that so much of the material available to support you as you roll out threat modelling describes it in the context of greenfield projects? Most of us need to know how to successfully introduce this highly effective shift-left security practice to real teams; teams that are running at pace on the tread mill of change, spinning the plates of customers commitments and feature enhancements. In this talk, I will share the experiences of a 3 year journey I have been on to introduce threat modelling to my colleagues across a range of product offerings. We made some mistakes, we learned some lessons the books could not have taught us but ultimately we succeeded and in succeeding we learned that introducing threat modelling is only the beginning. Originally conceived in a pre-COVID world, this talk has been updated to include a look at the challenges and some surprising advantages of threat modelling on remote teams.