User-Story Driven Threat Modeling


Threat modeling is a way of thinking about what could go wrong and how to prevent it. When it comes to building software, some software shops either skip the important step of threat modeling in secure software design or, they have tried threat modeling before but haven't quite figured out how to connect the threat models to real world software development and its priorities. Threat modeling should be part of your secure software design process. In this session we will look at some of the latest advances in threat modeling integrated with Agile Development processes by using User Stories and Abuser Stories. This process is iterative and meant to keep in step with Agile Development and/or DevOps practices. By enumerating threats against User Stories / Abuser Stories, you are not threat modeling an entire/massive system, but going granular by enumerating threats against relevant user stories. Finally, you will see how this process facilitates the creation of multiple segues into Security Test Cases and Mitigation Plans. You will also see how this process works with an automated approach to security test cases.


  • Robert Hurlbut

    1 Recording
    Robert Hurlbut is a Principal Application Security Architect at Aquia, Inc., specializing in Threat Modeling. Robert is a Microsoft MVP and has over 30 years of industry experience in software security, software architecture, software development, and security training. Robert leads or is also involved in these volunteer endeavors: Boston .NET Architecture Group ( - founder / leader since 2004, Amherst Security Group ( - leader since 2016, Application Security Podcast ( - co-host since 2016

Recorded At:

Recorded on:

Mar 10, 2022

More Info: