Martin Dubé

Offensive Security and Threat Modeling are two worlds that rarely intersect even in the most mature and security minded organizations. However, they both can be about the same subject, a given system, and the same overarching goal: to improve the security posture of that system.

This talk is the fruition of an unlikely team up of two specialists: one in offensive security, who engages organizations with external pentesting and one in application security, who performs threat modeling as part of the internal software development process.

Both could be working on activities of the same security program, but are they often put in the same room the way they will be put on stage here? Will they fight or end up shaking their heads in unison for consternation? What are the actual gains of having them work to bring together offensive security and threat modeling?

To answer that, we will quickly introduce the foundations for both crafts with obligatory definitions, but also give opinionated takes on goals and value for effectiveness and productive engagements.

We will go through two very different use cases to explain how Offensive Security and Threat Modeling can integrate and benefit from each other: A niche private LTE-centric system and an Online Multiplayer Video Game.

By the end of this talk, you’ll see how pentesting can evolve from opportunistic to strategic, and how threat modeling assumptions can be validated, confirmed and prioritized. All that aligned with business needs, and with some much needed collaboration between the two disciplines.