Threat modeling is one of the most critical activities if you release any software to the web. There are numerous tools, books (one of each is mine), and tutorials on making it suitable. My talk has a different intent - it walks you through bad practices. How the modeling is wrong, and how bad actors can exploit that.

Here is an example:
Only one person in the company does Threat modeling. On the surface, the "hero" approach might be a good use of someone's time, but in the end, the thread modeling attendees' diversity matters. I'll give you some statistics from an exercise where the group put their heads together to protect a beer tap and a dog.

I'll also focus on actual use cases like this:
We do it once a year as a "team building exercise."
We need to know a threat model before we use all the automated/helping tools.
We know everything, and our model is the best.

I've survived two breaches, and we could have prevented them using proper threat modeling.

The talk is interactive, full of fun stories and a bit of metal music. This talk aims to engage with anyone in the Secure Software development chain and encourage you to adapt your processes to secure your software by knowing and refusing those evil practices.