Meetup Agenda: Agile Threat Modeling - 2 Hours

Theme: Integrating Security into Your Agile Sprints

Welcome Participants: Developers, Testers, Product Owners, Security Enthusiasts

Duration: 2 Hours (9:00 AM to 11:00 AM)

Location: HCDS Technologies Gurugram

Goal: To provide a practical understanding of agile threat modeling and equip attendees with the skills to integrate it into their agile workflows.

Agenda:

(9:00 - 9:15) Welcome & Introductions (15 Minutes)

Welcome & Icebreaker (5 minutes):

Brief welcome message.

Quick round of introductions (name, role, experience with threat modeling/agile).

"What's one security question you've always wanted answered?" (Quick sharing).

Agenda Overview & Goals (5 minutes):

Outline the agenda and expected outcomes.

Emphasize the importance of agile threat modeling.

Setting the Stage: Agile & Security (5 minutes):

Brief discussion on the challenges of integrating security into agile.

Highlight the benefits of proactive threat modeling.

(9:15 - 9:45) Agile Threat Modeling Fundamentals (30 Minutes)

What is Threat Modeling? (10 minutes):

Definition and core concepts.

Explanation of common threat modeling methodologies (STRIDE, PASTA, etc.).

Why it matters in agile.

Integrating Threat Modeling into Agile (15 minutes):

How threat modeling fits into sprints and iterations.

Roles and responsibilities in agile threat modeling.

Practical examples of incorporating threat modeling into sprint planning, backlog refinement, and retrospectives.

Tools & Techniques Overview (5 minutes):

Brief introduction to common threat modeling tools (OWASP Threat Dragon, Microsoft Threat Modeling Tool).

Overview of data flow diagrams and attack trees.

(9:45 - 10:30) Practical Workshop: Threat Modeling a User Story (45 Minutes)

Scenario Introduction (5 minutes):

Present a simplified user story (e.g., "As a user, I want to be able to reset my password").

Explain the context and assumptions.

Group Formation (5 minutes):

Divide attendees into small groups (4-5 people).

Threat Modeling Activity (25 minutes):

Each group will perform a simplified threat modeling exercise using the provided user story.

Groups can use a simplified version of STRIDE or draw a simple data flow diagram.

Identify potential threats and vulnerabilities.

Discuss potential mitigation strategies.

Group Presentations & Discussion (10 minutes):

Each group briefly presents their findings.

Facilitated discussion on common threats and effective mitigation strategies.

(10:30 - 10:50) Automating & Scaling Agile Threat Modeling (20 Minutes)

Automation Opportunities (10 minutes):

Discuss how to automate parts of the threat modeling process (e.g., using security tools and integrations).

Examples of automated security testing and code analysis.

Scaling Threat Modeling (10 minutes):

Strategies for scaling threat modeling across multiple teams and projects.

Building a security-conscious culture.

Using threat libraries to speed up the process.

(10:50 - 11:00) Q&A, Wrap-up & Networking (10 Minutes)

Open Q&A (5 minutes):

Address any remaining questions from the audience.

Wrap-up & Key Takeaways (3 minutes):

Summarize the key learnings from the meetup.

Provide resources for further learning.

Networking (2 minutes):

Encourage attendees to connect and network.

Thank you and goodbye.