Wednesday
Room 1
10:20 - 11:20
(UTC±00)
Talk (60 min)
The question is not when to start threat modeling. It's when to stop
Threat modeling is often presented as an essential security practice, but rarely does anyone discuss when to declare a threat model "done", because the uncomfortable truth is that it never really is. This talk explores the paradox at the heart of threat modeling: while threats continuously evolve and systems constantly change, practical security work demands we set boundaries in our analysis and move forward with implementation of the mitigations.
After a primer on threat modeling fundamentals, we'll examine a fundamental question every security team faces: not whether a threat model is complete, but whether it's sufficient for the current situation. We'll explore potential criteria for gauging whether you've reached the "point of diminishing returns" in your current modeling iteration, including resource constraints that shape real-world security programs.
Through case studies and practical examples, attendees will learn to recognize the signals that indicate further modeling won't meaningfully improve security outcomes and learning to abandon "perfect" in favor of "good (enough)" in different contexts.
This talk is for security professionals who want to implement or improve threat modeling practices while maintaining momentum in their security programs. No prior threat modeling experience required – just a healthy skepticism about activities that could theoretically continue forever.
Georges Bolssens
Georges Bolssens embarked on his coding journey in the early 1990s and delved into the realm of application security in 2017. With an inherent passion for teaching, Georges is not only a seasoned developer but also an adept communicator. His unique talent lies in simplifying intricate subjects through relatable analogies, making him an engaging and effective speaker.
Having undertaken numerous consulting assignments among which he can list vulnerability scanning and penetration testing as a "lone wolf", taking on the role of Security Champion in a Medical Device development team and acting as internal Application Security Coordinator at a Big4-consultancy firm. Throughout his career and in all these assignments, Georges has assumed the role of cybersecurity educator for a diverse spectrum of professionals. His guidance has illuminated the path for individuals ranging from legal experts to ethical hackers and all those in between.
In his capacity as an Application- and Product Security Consultant at Toreon, Georges has been instrumental in assisting numerous clients in constructing comprehensive threat models for their digital assets. His expertise and commitment led threat-modeling authorities Sebastien Deleersnyder and Steven Wierckx to appointment as a co-instructor for Toreon's distinguished "Advanced Whiteboard Hacking – a.k.a. Hands-on Threat Modeling" course. Notably, he taught this course at the esteemed "BlackHat USA", "OWASP BeNeLux" and "Troopers" conferences to a wide variety of international cybersecurity professionals.