AppSec & DevSecOps

D7: FAIR STRIDE - Building Business Relevant Threat Models for AppSec

Friday, September 23, 2022 1:30 PM - 2:30 PM

Room 503

Have you ever wondered what the ROI is on a security control? Or whether you should spend time fixing 2 highs or 47 mediums? FAIR STRIDE is a method for creating application threat models that can answer these questions. We will explore expressing the outputs of a STRIDE threat model in projected dollars lost instead of a set of high, medium, and low severity threats. We will discuss how to use the output of such a model to inform strategic planning, justify investment in security controls, and define a roadmap towards scalable risk reduction for a product.