XP2019 has ended
Back To Schedule
Saturday, May 25 • 1:30pm - 3:00pm
Threat Modelling (Part I) - Build security into your project from the ground up. (Kelsey Haaster, Robin Doherty)

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

When a group of stakeholders and team members come together to plan a new product or feature, they often focus on identifying stories that deliver end user value through solving a business problem, delighting the customer or disrupting a competitor. While these are critical stories, they are not the whole picture.

Every product has non-functional or cross-functional stories which must be played.
Security stories are an important part of these but are often not considered at all. When they are considered, they are often an afterthought or are assumed to be part of the project infrastructure. Trying to bolt on security as an afterthought in this way is a mistake that can lead to disaster at one extreme, and compromises to reduce product usability, or don't support good end-user security practices at the other.
The challenge, of course, is that from the stakeholder perspective, security is not seen as a priority. This workshop is for software delivery teams who want to learn how to change this perspective and work with their stakeholders to help them to understand more about the importance of security. The goal is to help technical and non-technical stakeholders understand security and why it should be given priority and built into their product from the ground up. We show participants how to facilitate a structured meeting or workshop with their stakeholders where they use a simplified threat modelling technique to identify risks.

The outcome is the identification of user stories (or evil user stories) which when played will mitigate identified risks.

Learning Outcomes:
  • How to facilitate a threat modelling workshop.
  • How to identify the most important security risks, especially the not-so-obvious ones.
  • How to identify mitigations for security risks and turn them into playable user stories.

avatar for Robin Doherty

Robin Doherty

Security Lead, ThoughtWorks

Saturday May 25, 2019 1:30pm - 3:00pm EDT
E-2025 (2nd Floor)