Security done right starts with business risk, assessing systems against business risks and then mitigating using security measures (technical or non-technical).

Yet with security teams stretched, developers focussed on delivering features fast, and no-one really getting information on business risks from above, how do we address the risks that matter without pushing out delivery dates?

In this session I'll show how to get ahead of the curve on security. I'll show our audience how to find risks and vulnerabilities in the code they write and the architectures they build.

I'll introduce threat modelling as a technique that can be used by anyone to find these, then show how a threat model empowers you to find the risks that matter most, and ignore the rest, all while providing the evidence you need for when others come asking.

And the best bit? Threat modelling is quick, easy to pick up, and provides lasting security benefits for your team and your systems. It's practical to introduce at any point in the lifecycle of a system and you can start small to dip your toe in the water.

At the end of this session the audience will have a reminder of the importance of security, they'll be equipped with a modern, flexible and simple method for finding and reducing security risks, and they'll know how they can get started.

This talk is not technical (though our demo and examples will include technical content) and focusses on how to tackle security while balancing the other needs of a typical development team. It's great for engineers and engineering team leads, but could give the greatest value to CTOs or other tech executives who are grappling with the challenge of security right now, particularly where their organisation does not have a security function, or their security function is not well aligned to modern development methods and tools.