Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Seat at the Table by Adam Shostack


Published on

Adam´s presentation at Threat Modeling Brunch with IriusRisk in San Francisco, 6. March 2019

Published in: Software
  • Be the first to comment

  • Be the first to like this

A Seat at the Table by Adam Shostack

  1. 1. A Seat At The Table Adam Shostack
  2. 2. About Me 2Disclaimer: all products and companies mentioned for illustration. No endorsement or criticism implied.
  3. 3. Open Security Summit Mission “We passionately believe the hard problems and challenges that our industry faces can only be solved by working together, in a collaborative and open environment.”
  4. 4. What Does Working Together Look Like?
  5. 5. Dialogue Before Discussion Dialogue •Fluid not fixed •Prototypes & experiments •Explore ideas and consequences • “What if?” • “How about” Discussion •Fixed not fluid •Production code •Commit to one idea Borrowing from John Allspaw (Etsy,
  6. 6. Design Is … •A dirty word •Happening anyway •Ongoing and engaged •Happens “around a table” •“Dialogue” then “discussion” then “review” •RACI as a model
  7. 7. “The Table” •Decisions are made •Seating is limited •Competition for a seat
  8. 8. Security Doesn’t Play At The Table “That would be insecure!” “We’ll run a vuln scan”
  9. 9. Security doesn’t have tools for the table
  10. 10. What’s Needed For A Seat At The Table? •Tools that work in dialogue •Consistency •Soft skills!
  11. 11. Threat Modeling as a Design Toolkit
  12. 12. •What areweworkingon? •What can go wrong? •What arewegoingto do about it? •Did wedo agood job? FourQuestionsforThreat Modeling
  13. 13. Structure Allows Consistency •Brainstorming •People •Experience •Skills •Mechanisms & structures •STRIDE •Kill Chain •Consistency allows collaboration
  14. 14. Threat Modeling Is A Big Tent •Like developing software •Lots of tasks, tools, deliverables, skills involved •Think building blocks & microservices •Think engagement, not review •But we still need the soft skills!
  15. 15. Soft Skills Often seem ill-defined
  16. 16. Funny!
  17. 17. A Few Important Soft Skills
  18. 18. Naturally! •Nothing we do in the work day is “natural” •Evolved for various reasons – good and bad •Need to learn and practice
  19. 19. Respect •Pay attention to the person speaking •Don’t interrupt •Don’t read your email •Don’t have side conversations •Pay attention to the people not speaking •Are we inviting them to speak? •Here at AppSec Cali, and at work
  20. 20. Active Listening •Pay attention •Show you’re listening •Body language and gestures •Provide feedback •Defer judgment •Respond appropriately
  21. 21. Assume Good Intent •No one is paid to make your life harder •We’re all here for the conference (or work) •What belief leads to their being such an idiot? 
  22. 22. Diversity •An intrinsic good •With real business value •Soft skills are welcoming •Behaviors that drive people away, drive people away
  23. 23. Summary
  24. 24. Win a seat at the table Tools Consistency Soft skills
  25. 25. Thank you!
  26. 26. Questions? (or)