TestBash World 2022 - TestBash Revisited - Threat Modelling: How Software Survives in a Hacker’s Universe with Saskia Coplans

In this session, we will be revisiting @saskia’s talk from TestBash Manchester 2019. Saskia will join us on the main stage for a chat whilst we watch the talk and discuss what was said back in 2019 and what could have changed since then.

We’ll use this Club thread to share resources mentioned during the session and answer any questions we don’t get to during the live session.

1 Like

Get connected with Saskia Coplans
Twitter: https://twitter.com/ms__chief
LinkedIn: https://www.linkedin.com/in/saskiacoplans/
Website: Blog - Digital Interruption

Questions answered in the session

  1. Any chance you can go into those conspiracy theories today? I’m quite curious now actually -Veerle Verhagen
  2. Could you use methods and approaches from other parts of software testing to use in Security testing?- Ben Dowen
  3. What is your view point on public sec/pen testing such as HackerOne. Do you see benefit in having sec testing both internally and also opening up to the public.- James Wadley
  4. Are there any recommended automated security testing tools (beyond static analysis)?- Anonymous

Unanswered Questions

  1. Have you ever mixed Risk Storming with Threat modelling?- Ben Dowen
  2. Do you think performance testing should be coupled with security testing to help with things like DDoS.- James Wadley
  3. Is it better to start with what is your biggest concern or what is the is most likely to happen (Owasp top 10)? - Robert Foster
  4. I work in a rather large company and we have a QA department, as well SRE and Security teams. As a QA engineer should I leave security to the sec. team or … -Mohsen N.
  5. How useful are tools like Wireshark in your job? And are they hard to learn?- Mirza Sisic
  6. Cybersecurity is major concern for world how to prevent or assure customer that software is completely secure.- Prince Ghosh

Some Important links from the session


I don’t think that is realistic, unless you’re developing something really simple. A little bit like saying software will definitely be released bug. On top of that, there may be no known vulnerabilities in a package that you are using now but down the road something may be discovered.

Depending on the nature of your product/company, there are certifications that you can get that don’t say “my software is bulletproof” but does say “we are doing the right things to make our software secure.”


Just my thoughts (hope im okay chipping in on discussion) but it is something to be concerned with. Unless these people are involved in your day to day (not something i’ve seen), it is important to think about these things in much the same way that we shift testing left. You don’t want to find a big security flaw in your system towards the end of the project!