Christian Frichot
Christian Frichot (he/him) is an application security professional with a passion for threat modelling & OSS - who spends his free time trying to avoid computers. Currently working at Atlassian as a Senior Product Security Manager, Christian has a history spanning both large tech companies internationally (LinkedIn, Salesforce, SafeStack, GM Cruise, Hashicorp), and local Aussie orgs as well (Bankwest, Asterisk, CyberCX, Rio Tinto). He's also been fortunate enough to present at wonderful events such as Kiwicon, DEFCON, CactusCon, OWASP APAC, Blackhat Arsenal and BSidesSF. Christian is also the co-author of The Browser Hacker's Handbook, published by Wiley, and the creator of threatcl.github.io.
Session
Learn how to integrate threat modeling directly into your development workflow using open-source tools and Infrastructure-as-Code principles. This talk demonstrates how to write threat models as configuration files, integrate them into GitHub Actions pipelines, and even use SAST tools to validate security assumptions automatically. Don’t want to write configuration files? Don’t worry - there’s an MCP Server for that too!
We'll explore practical examples including:
- Writing your first threat model in HCL using threatcl
- Setting up CI/CD pipelines to validate threat models on every commit
- Using Semgrep rules to enforce security patterns in your threat models
- Generating visual diagrams and security documentation automatically
- Leveraging Git's version control to track how threats evolve with your codebase
Attendees will leave with working examples, GitHub Action templates, and the knowledge to implement "Threat Modeling as Code" in their projects immediately. We'll also touch on emerging patterns using AI tools to assist with threat identification.