Threat Modeling in the Gaming Industry

Presented at THOTCON 0x6 (2015), May 14, 2015, 6:30 p.m. (25 minutes)

Modern games are complex pieces of software, running on multiple platforms across many different genres, and with a variety of player goals dependent on the game. Despite the complexity of modern games, many common security issues exist that we can identify and expand upon during the planning, development, and testing phases of the development process. Threat modeling is a security activity that maps threats and their respective attack vectors, assets, and controls to a system to help identify vulnerabilities and assist with secure system design. If you’re working with games then this talk will help you understand how issues around client-side logic, proprietary network protocols, user account management, and playing on an untrusted platform can impact the overall security and user’s experience. By addressing security issues during the design and development stages and then reinforcing them during testing, we can move the industry towards creating a more secure gaming experience.


  • Robert Wood
    Robert Wood is a Technical Manager and the Red Team Practice Director at Cigital, with over 5 years of experience in a variety of roles including application security consultant, network penetration tester, red teamer, and digital forensics analyst. Robert has worked with organizations across a variety of verticals including gaming and entertainment, financial services, healthcare, ISVs, military, and defense. Specific to the gaming industry, Robert has performed comprehensive assessments on gaming consoles, mobile games, PC-based MMORPGs, online multiplayer console games, and a variety of game development frameworks. Robert’s experience in the gaming industry focuses on security from a holistic perspective, bridging his system design, embedded systems development, reverse engineering, and network security experience together. As a Technical Manager at Cigital, Robert has lead and performed assessments that span across the software development lifecycle and security operations, including but not limited to: secure code reviews, architecture risk analysis, penetration tests, and red team assessments.

Similar Presentations: