The Security World is great at training pentesters by the dozens. This success has hidden the fact that the same approach does not work for training Software Engineers. This will cover how security emerges from engineering and how Security Assurance can optimally interact with developers without hindering developer velocity.

This is a concept I have been speaking on and developing for about 4 years. I start by sharing my experience bridging the gap betweeen engineering and security. Using a bit of first principles analysis we can see how developers should address security concerns, sometimes by extending existing practices with specific security intent. I will also show a generic webapp threat model and a security model based on ISO 25010 for our in-class conversation