Applying Threat Modelling in modern development environments
In today's fast-paced software development, understanding and mitigating security risk is paramount. Adopting security activities early in the software development lifecycle is crucial for efficient management of resources and controlling development costs — threat modelling stands out as one of the most impactful ways to "shift left." This session leverages the fact that every person is already consistently applying some form of threat modeling in their day-to-day activities, and expands that existing capability into a more structured skill. It explores various approaches, including how Ocado Technology applies its own methodology to threat modeling across simple plugins, large-scale systems, serverless apps, and complex microservice architectures.
Speaker Bio
Gonçalo Matias is a Senior Application Security Engineer at Ocado Technology, bringing over 20 years of software development experience across diverse platforms, languages, and frameworks. A security enthusiast since his earliest projects, his career evolved from software development to specialised security roles, including research and penetration testing. Threat modelling is his favorite security activity. He plays electric guitar and is an instructor of "Haidong Gumdo", a Korean sword martial art.
GenAI Mind Tricks – Are these the secure chatbots you're looking for?
After experimenting with various public challenges on LLM chatbots — like Gandalf, PromptAirlines, and more — the speaker decided to build his own: not just to understand how LLMs work, but to see how easily they can be broken. This talk dives into the security risks of Generative AI, particularly LLM chatbots, exploring vulnerabilities that are often overlooked. From sensitive information disclosure to prompt injections and jailbreaking, the presentation walks through real-world examples demonstrating how these systems can be manipulated.
Speaker Bio
Bruno Morisson is a seasoned cybersecurity expert with over two decades of experience in offensive security, penetration testing, and red teaming. As Partner and Offensive Security Services Director at Devoteam Cyber Trust, he leads security testing across web and mobile applications, IoT, OT/SCADA, and threat-led penetration testing frameworks like TIBER-EU and DORA. He is the founder and organizer of BSidesLisbon, Portugal's top security conference, and a member of the CREST Europe Council. His research includes multiple CVE disclosures, Metasploit modules, and publications on SAP security, honeypots, and Linux audit systems. He holds an MSc in Information Security from Royal Holloway and certifications including OSCP, CISSP, CISA, and GIAC GPEN.
