Year of the Rabbit
Happy Lunar New Year and welcome to the Year of the Rabbit!
Let’s see some rabbit-related references in presentations this year.
No more Sun-Tzu stock phrases or Clausewitz cliches.
Where are the leadership lessons from Watership Down?
The social engineering tricks of El-ahrairah?
Or the appsec-like premonition from Fiver, “There isn’t any danger here, at this moment. But it’s coming…”
This week Marudhamaran Gunasekaran joined us to talk about his experience in customizing secure code training for #DevSecOps teams.
One of the points was that teaching pentesting concepts and tools is useful for building awareness on how apps are compromised, but developers don’t spend their day pentesting. They need resources that help them design and implement code, which is why threat modeling can be such a valuable security practice.
Marudhamaran mentions a few tools, including the Microsoft Threat Modeling Tool. I still prefer a tool-less approach where security moderates a discussion among a development team that walks through the questions of
- What are we building?
- What could go wrong?
- What should we do about it?
And if a tool is necessary, it’s just a loosely structured document that captures points made and recommended actions that came out of that discussion.