Director of product security at Twilio Jeevan Singh discusses how self service threat modelling was introduced at Twilio to enable developers to take part in the security program.
what's the main thing that um she wanted me to tackle and she's like uh the security engineering team has a lot of operational work and specifically on the threat modeling side how do we ensure that as engineering uh grows way faster than security we are not stuck doing operational work day in day out and that's all we're doing so we came up with the idea of doing self-service threat modeling where first uh we would teach engineering how to do threat modeling we watch them perform it live and provide feedback uh through those sessions and then later on we look at review the artifacts to see if they're doing it correctly and that we learned so many great things as part of that program including Engineers are way better at threat modeling than we are um they know their systems much deeper if you sort of Point them in the right direction and let them know the type of things that we're looking for um they do a much much better job job than we do we come in we get about an hour of education on what the system is and then we have we just scratch the surface for that so um that was a great way for us to uh understand how we can scale our threat modeling program didn't mean that we we'd stop doing threat modeling it meant that we can actually focus our energy on the most important parts of the system and threat model those whereas the engineers themselves will focus on everything else so for that particular program the heavy lifting would be on the engineering side um and it was really easy to maintain that program and there's a number of other sorts of programs uh that we've also rolled out in the similar vein where security engineering shouldn't be doing the heavy lifting um but we can um push it in a way so that we can actually understand what are the requirements and overall the goal is always to reduce risk