Merge pull request #1629 from zeroXten/fs/selling-the-idea

Adding markdown and presentation files

Working-Sessions/Threat-Model/Threat-Modeling-Sell-The-Idea.md

@@ -0,0 +1,105 @@
+---
+layout       : blocks/working-session
+title        : Threat Modeling Selling The Idea
+type         : workshop
+track        : Threat Model
+technology   :
+related-to   :
+status       : done
+when-day     : Tue
+when-time    : Eve
+location     : London
+room-layout  : unknown
+organizers   :
+participants : unknown
+---
+
+## When and where
+
+The page documents the outcome of a 2 hour working session held in London in February 2018. Details available here: https://pbx-group-security.com/working-sessions/
+
+## Selling Threat Modeling
+
+We put together ideas for a brief 3 slide presentation aimed at a selling the idea of threat modelling to a product owner.
+
+### Example presentation
+
+A draft presentation has been created to illustrate what the below content might look like in a deck. It is basic and was created using the features of Google Slides, so a proper version would need much more work. Ideally with the help of a graphic designer.
+
+The presentation is available as [PowerPoint](OWASP_Hidden_cost_of_insecurity.pptx) and [PDF](OWASP_Hidden_cost_of_insecurity.pdf).
+
+### General/rough notes for the session
+
+Getting developer buy-in
+
+"haven't got time"
+
+* get to break stuff
+* take a feature and put everything out of scope
+* start small - a few key people, one team to test it
+* non-judgemental
+* use what you're comfortable
+* business owns the outcome (e.g. documenting threats)
+* security facilitates
+* security champions
+* sell to the product owner
+* advocates at the bottom, buy-in from the top
+* threat modelling running sytems vs SDLC
+* what's the benefit - engineer, product owner, risk
+* what to do when issus identified? Blame? Panic?.... - culture
+* legacy system - we don't care :(
+* priority. tm can help prioritize the risk?
+* can TM "enable" agile/devops?
+* Get buy from the top? (optional)
+* Identify a small, friendly dev team
+
+### Who is the target audience?
+
+Product Owner
+
+Persona attributes:
+* Non-technical
+* Busy
+* Cares and takes pride in their work and deliverables
+* May have regulation concerns
+* Fear of the unknown
+* Doesn't want additional work
+* Full-stack-responsibility - They care from design to operations
+
+### Slide 1 - The problem statement
+
+* Don't know / can't measure / uninformed about the risks associated with the
+platform
+* Unknown costs of remediation, regulatory fines, brand damage
+* Return on Investment is incomplete
+* Cost of fixing issues gets higher as you get closer to production
+* A pentest finding an issue in pre-production could push back releases by
+weeks
+* You might not be putting security where it's needed - wasted effort,
+false sense of security
+
+### Slide 1 - Alternative
+
+* Would you like to know that your ROI calculations are well constructed?
+* Would you like to make informed risk decisions?
+* Would you like to deliver agreed scope more quickly?
+
+### Slide 2 - How does threat modeling solve this?
+
+* Comparison to Penetration Testing (how do they compliment, where in
+lifecycle)
+* Identify and quantify threats
+* Make informed decisions through discussion
+* Prioritisation
+* Risk equation
+* Get documentation for free
+* Threat modeling isn't the only solution, not the complete picture
+
+### Slide 3 - Next steps
+
+* Training for develops, security to facilitate and mentor
+* start small - a friendly willing team, a few key people, one team to test it
+* take a feature and put everything out of scope
+* blameless culture
+* use what you're comfortable
+* business owns the outcome (e.g. documenting threats)