From The Start: Infuse Security Into Requirements Architecture and Design

Wednesday, October 30

9:45 AM - 10:45 AM

Location: Southern 5

Speaker(s)

THOMAS SCANLON

Senior Cybersecurity Researcher
Carnegie Mellon University

To truly make security a fundamental, integral aspect of software development, it needs to be engineered in from the very beginning of a project. Many people know they should "build security in," but they don't know how—beyond security tooling. This talk will present practical methods and techniques for infusing security interests into a software development project from the start. We will discuss how mission threat workshops can be utilized at a project's inception to identify architectural and engineering security considerations, how threat models and threat assessments can be used to elicit security requirements, and how attack models can be used to foster secure architectures. A variety of techniques will be presented and explained along with guidance on how to select appropriate methods for a project.

Learning Objectives:

Describe techniques and methods for eliciting security requirements and incorporating security interests into software architecture and design.
List numerous types of threat and attack modeling techniques, understand their differences and be able to select an appropriate technique for a given project.
Conduct a threat assessment for a software development project before any code is written, including assessing risk and prioritizing security concerns.