Amplify Downstream Value with Technology Captures and Layers

September 28, 2024
10:00am
Seacliff A/B/C/D
Expert Talk

About this session

How many downstream teams repeat much of the same research and re-con process to understand a system before they can analyze how to secure it? Are we leaving value on the table by abandoning our threat models after design time? Not everyone will be diagramming in your threat modeling tool, but teams downstream in the SDLC can consume it as input if we tailor it to them during design-time.

This session will explore how to extend the functionality and value of threat models beyond design time. We will rethink the "intended audience" for threat models and discuss how to tailor them to benefit other teams throughout the software development lifecycle (SDLC). We’ll cover techniques for creating Technology Captures as contextual assets for downstream teams, and how to use layering functionality to provide tailored "views" of your threat models based on specific needs. Through examples, we’ll demonstrate how to present layers for various aspects such as data connections, persistence, asset and control tables, and network security trust zones. By the end of the session, you’ll learn how to use Technology Captures to enhance system comprehension, envision how your threat models can support other teams, and consider a "weighted" approach based on the risk and complexity of your models.

Speaker

Speakers

Brenna Leath
Software Security Principal, Navy Federal Credit Union