Evil User Stories - Improve Your Application Security - Anne Oikarinen

30th April 2020
  • Locked
Anne Oikarinen's profile
Anne Oikarinen

Senior Security Consultant

Evil User Stories - Improve Your Application Security - Anne Oikarinen image
A free account is required to view this content
Sign Up Sign In
Like Bookmark Add to collection
Talk Description

Are you tired of fixing security bugs afterwards in a hurry? Have you gone through depressing penetration testing reports too many times? Evil user stories are a way of addressing security threats in the planning and implementation phase.

The idea of evil user stories is simple: First, identify important data and assets in the application you are protecting. Then, identify threat scenarios by completing the sentence "An attacker should not be able to...". 

You can use evil user stories in development by putting them in the backlog and adding mitigations as acceptance criteria. This helps in implementing security together with functionality. In addition, they are a good starting point for test planning and getting testers involved in design. 

You will learn to create evil user stories from different attacker perspectives and will be able to make security efforts visible in the backlog which is a step closer to building security in. 

Takeaways

Key learnings:

  • How to create evil user stories to find potential threats on the system you are protecting
  • Evil user stories make security work visible on the backlog and security features get implemented alongside functionality
  • Evil user stories can be used as test planning aid
  • Different methods of finding attacker perspectives 

By the end of this session, you'll be able to:

  • You will learn to create evil user stories from different attacker perspectives and will be able to make security efforts visible in the backlog which is a step closer to building security in. 
Anne Oikarinen
Anne Oikarinen
Senior Security Consultant

Anne Oikarinen is a Senior Security Consultant who works with security and software development teams to help them design and develop secure software. Anne believes that cyber security is an essential part of software quality.

After working several years in a security software development team in various duties such as testing, test management, training, network design and product owner tasks, Anne focused her career fully on cyber security. In her current job at Nixu Corporation, Anne divides her time between hacking and threat analysis - although as network geek, she will also ensure that your network architecture is secure. Anne also has experience on incident response and security awareness after working in the National Cyber Security Centre of Finland.

Anne holds a Master of Science (Technology) degree in Communication Networks and Protocols from Tampere University of Technology, Finland.

Suggested Content
TestBash Brighton 2025 image

TestBash Brighton 2025

On the 1st & 2nd of October 2025 we're back in Brighton for TestBash: the largest software testing conference in the UK
Explore MoT
Castelo Branco Meetup image

Castelo Branco Meetup

Tue, 6 May
The Future of Testing in an Automated World: Embracing Continuous Learning and A
MoT Software Testing Essentials Certificate image
MoT Software Testing Essentials Certificate
Boost your career in software testing with the MoT Software Testing Essentials Certificate. Learn essential skills, from basic testing techniques to advanced risk analysis, crafted by industry experts. Early access available now at a discounted rate!
Leading with Quality
Leading with Quality
A one-day educational experience to help business lead with expanding quality engineering and testing practices.
This Week in Testing image
This Week in Testing
Debrief the week in Testing via a community radio show hosted by Simon Tomes and members of the community
Subscribe to our newsletter
We'll keep you up to date on all the testing trends.