DAY 2, February 13
12:00 - 12:45

Track D

Elena Kravchenko
Product Group Application Security Lead
Micro Focus


I am responsible on secure development (SDLC) and operation of software products delivered in both on-prem and SaaS ( cloud-deployment ) delivery models.

Any other info about you: 25+ years of experience in software development, 7+ from them in application security, responsible on secure development of 20+ products, developed by 400+ engineers in 6 countries. CISSP, delivered different talks on OWASP, DevOps, Agile Development and ISC2 conferences, java and security meetups.

SPEECH: Three Levels of Complexity: Threat Modeling of Containerized Applications

Three Levels of Complexity: Threat Modeling of Containerized Applications

Abstract: Threat modeling is a very powerful tool within application security.

This session explains how we can optimize threat modeling and improve the process outcome, and how we can handle a new dimension in the model since the containers usage requires attention to additional aspects easily overlooked.

We'll start from the common principles of threat modelling, purpose and expectation from the process, and continue with different approaches, roles, and metrics we can apply to the process. We’ll deep dive into the new aspects inserted by containerization of applications for both legacy monolith and modern micro services architecture.

We'll conclude with examples where proper threat modeling and mitigation of the risks reduces impact of vulnerabilities recently reported in Docker and Kubernetes.

Learning Objectives:

Build a basic threat model for applications and define the attack surface.

Understand what additional security aspects are inserted by a new containerized deployment model.

Define threat modeling metrics and maturity level of their product or organization.