After weeks of putting off, I finally watched “The social dilemma”. I was fully expecting it to be one of those shows where I didn’t learn anything new, and just a regurgitation of the show “The great hack”.

Oh, but it wasn’t.

It shows us in great detail, and in layman’s terms how software engineers (like me) are to blame for our part in developing machine learning algorithms to entice users to spend longer in apps, in turn monetising our attention span, and weaponizing our actions. …

What if I told you that you could give everyone in your org all the autonomy they want, and not increase risk to organisational continuity.

We start our ponderings by thinking about what autonomy means. What does it mean to be truly autonomous?

If we pop ourselves into a Utopian alternative universe, where there is no friction on any given decision, collaboration rules supreme, and everyone is skilled at everything. In this universe (and in our own) on each decision, there are three classes of individuals needed. …

When it comes to the conversation of security, there are many tools that can help us to aim for an optimum level of security.

Image courtesy of:

In short, threat modelling is the process of defining the risks in any given system, and then assigning controls given the best result in risk reduction. For more information please see OWASPs resource on the subject.

A challenge many businesses share is around measuring the outputs of threat model sessions and the controls put in place thereafter. One way to do so could be to use documentation in some sort of wiki, which we then collate…

Threat modelling is a very hot topic within security. With many companies struggling to roll out this methodology, we needed a solution that would allow us to do this at scale

Threat modelling allows us to look at any given application and the infrastructure it lives in, as well as document and prioritise the security flaws. For more detail check out the following OWASP entry:

Aligning almost 100 scrum teams in their approach to threat modelling is a challenge we have at ASOS. Along with my Secure Development team, I embraced this challenge, and took the opportunity to come up with some innovative ideas.

One of these ideas came to me in what felt like an epiphany — a relatively straightforward way that we could roll out threat modelling.


Harjit Sandhu

Software Security Engineering

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store