OWASP Global AppSec US 2021

This speech discusses observed Security Anti-Patterns as outcomes of Threat Modeling activities which require extensive rework if not accounted for in the design phase of the SDLC.
It also gives guidance on how to identify these Security Design Anti-Patterns in order to create awareness for Developers and Threat Modeling practitioners.

Mitigating Threats by implementing missing controls is part of fixing (acquired) Security Debt.
Threat Modeling activities aim at identifying missing controls very early on in the design phase of the SDLC.
However, not all Security Design flaws are created equal in terms of how easily they can be fixed. Apart from the impact that unmitigated threats have to a system’s security posture there is also the cost that development teams will have to bear associated with implementing missing controls.
Some design flaws or security threat mitigations can be fixed easier than others. Anti-Patterns described in the speech could result in a complete re-design of applications to fix security debt.
Worst case, the whole new system will not be allowed to be launched by compliance or the new system cannot be extended easily in a secure way.