Here are slides for my presentation at DevSecCon London, “Building Effective DevSecOps Teams Through Role-Playing Games”. It uses the aspect of social interaction in role-playing games as a model for working with DevOps teams to build secure apps and making sure the app’s threat models include social dimensions.


Automation is critical to building, testing, and scaling modern apps. Security benefits from being able to abstract cloud environments and infrastructure into APIs that we can code against. Such code helps make complex systems more easy to understand, which in turn helps create better security controls.

Yet we neither build apps alone nor build them to never be used by people. This is where RPGs come into play. Tabletop RPGs are collaborative story-telling exercises with as much conflict, drama, and shared success as there is in developing and securing apps. We have technical references and top 10 lists for app vulns. In appsec, we don’t have a similar level of documentation and advice around working with people and building threat models with people in mind. This is a step towards raising awareness of resources and work that already exists and would be a great addition to a DevOps approach to software.