2:25 p.m. – 2:55 p.m. Tuesday 5th

Room F3 - Track 3: Talks

Audience

Tester, product owners, developer, architect

Key-Learning

How to create evil user stories to find potential threats on the system you are protecting
Evil user stories make security work visible on the backlog and security features get implemented alongside functionality
Evil user stories can be used as test planning aid
Different methods of finding attacker perspectives

Are you tired of fixing security bugs afterwards in a hurry? Have you gone through depressing penetration testing reports too many times? Evil user stories are a way of addressing security threats in the planning and implementation phase.

The idea of evil user stories is simple: First, identify important data and assets in the application you are protecting. Then, identify threat scenarios by completing the sentence “An attacker should not be able to…”.

You can use evil user stories in development by putting them in the backlog and adding mitigations as acceptance criteria. This helps in implementing security together with functionality. In addition, they are a good starting point for test planning and getting testers involved in design.

You will learn to create evil user stories from different attacker perspectives and will be able to make security efforts visible in the backlog which is a step closer to building security in.

Related Sessions

2:25 p.m. – 2:55 p.m.

Room F2 - Track 2: Talks

30-minute Talk

The Five Quality Metrics You’ll Ever Need

Emanuil Slavov

3:10 p.m. – 3:40 p.m.

Room F1 - Track 1: Talks

30-min New Voice Talk

Little Red Riding Hood and the forest of broken windows

Michael Fontner

9:00 a.m. – 5:00 p.m.

Full-Day Tutorial (6 hours)

Practical Ethics for Tech Teams

Cennydd Bowles

11:10 a.m. – 11:40 a.m.

Room F2 - Track 2: Talks

30-minute Talk

The Customer As System Under Test

Keith McDonald

Evil User Stories - Improve Your Application Security

30-minute Talk

Timetable

Room

Audience

Key-Learning

Related Sessions