There is an almost iunescapable conflict between software developers and security engineers. Multiple areas struggle from this conflict: one specifically being threat modeling that does not work because of the lack of cooperation between security engineers and software developers. With the existing methods, security engineers do not get a proper picture of the real risks and software developers get no feeling of what to improve. Gamified threat modeling approaches like Cornucopia and Elevation of Privilege are designed to provide the missing common ground and a process that encourages exchange. As with playing cards, in their turn everyone plays their hand and the group discusses the threat that is described on the played card. The presentation will go through an example application and show the difference between the classical approach to threat modeling and Cornucopia/EoP. The audience is going to learn about a new methodology and get hands- on experience on how to do threat modeling by playing cards. |