Training: 8–9 November 2016
Tutorials & Conference: 9–11 November 2016
Amsterdam, NL

Scalable threat modeling with risk patterns

Stephen de Vries (ContinuumSecurity)
15:50–16:30 Thursday, 10 November, 2016
Bridging business and security
Location: G106/107 Level: Intermediate
Average rating: *****
(5.00, 2 ratings)

Prerequisite knowledge

  • A general understanding of threat models

What you'll learn

  • Learn how to improve the speed and consistency of your threat modeling activities
  • Explore a technique to build automation tools to support threat modeling


Current approaches to threat modeling emphasize manual analysis, which is typically performed by security-trained teams. This has a high initial cost, both in terms of time and the skills required to perform it. Enterprise environments offer the additional challenge of scaling this activity across thousands of products with a limited number of software security specialists to guide the process. Lack of the necessary security skills is one of the main reasons why many smaller companies never attempt threat modeling in the first place.

Stephen de Vries presents a software-centric threat modeling method that uses architectural risk patterns to greatly speed up the process of generating a threat model and also introduces a degree of consistency between models that is often lacking in purely manual approaches. The method for creating risk patterns employs principals from object-oriented software design such as inheritance and polymorphism so that the contents of the patterns can be practically maintained and extended without unnecessary repetition.

Topics include:

  • Transplanting threat modeling from the security team to the dev team
  • How to identify architectural risk patterns in components and use cases
  • Using inheritance to encourage reuse
  • Using polymorphism to provide detailed and specific countermeasure advice
  • Assembling risk patterns with a rules engine
Photo of Stephen de Vries

Stephen de Vries


Stephen de Vries is founder of Continuum Security, where he leads product development of the IriusRisk threat modeling tool as well as the BDD-Security open source testing framework, which is used extensively in SecDevOps workflows. Stephen specializes in building software and providing services to secure the SDLC. He has a strong background in web application security, with an emphasis on automated security testing and risk assessment. Stephen has published numerous original research papers and presented at conferences including Blackhat USA/Europe, DevOps Connect, Devoxx, and OWASP, among others. Stephen’s 17 years’ experience in information security has included a broad range of disciplines from software development, security code reviews, and security assessment to risk management and architecture security reviews.