This is a collection of security-related things I've done or contributed to. It's not complete by any measure. If you need help in modern software security, I may be able to help through F-Secure Consulting (contact me directly).

With "modern", I mean one or more of:


I've lectured a basic course on software security, with emphasis on threat modelling and being able to build secure software in a commercially viable fashion.

Spring term 2018 at Aalto University, Spring term 2016 at Aalto University, Spring term 2015 at Aalto University, Spring 2014 at the University of Helsinki.

Tools & c.

Most everything is in unmaintained state and provided mainly for historical reference.


Science marches on. As years of client work have piled up on me, I don't always agree with everything I wrote a long time ago. However, the Internet never forgets.

Agile Product Security Management (2009) is a paper which I submitted to somewhere - I have no recollection where. Based on LaTeX source timestamps, this is most likely November 2009, and is likely my earliest surviving written piece on security in agile development. Some of the practices there (like putting security criteria into a Definition of Done) have not survived the test of time. This one also hints at Leffingwell's model later to be known as SAFe.

This talk on Privacy by Design is the first public outing of the TRIM privacy extension to Microsoft STRIDE - long before the GDPR. Presented at a Nixu seminar in 2011, I called it STRIDE+4 back then. TRIM has also evolved from those and currently means something slightly different.

As a Product Owner, I don't want to get 0wned - managing software security through requirements management. Vintage Topconf Tallinn 2012, SAP Security Expert Summit 2014 and Scan-Agile 2015 fare.

Software security in agile product management (2011). This is an older paper which I have still up for reference. I don't agree with everything I wrote back then any more. But I think the layout came out pretty well.

Software security and agile development and Software Security and DevOps, two presentations at the BSIMM Conference 2013. (BSIMM Conferences are/were invite-only conferences organised by Cigital (later Synopsys) for their BSIMM community.) The first one describes the 'smells of secure agile', cultural and process aspects that either help or hinder security. We used these as a lens to determine opportunities for change for dev teams. These have since evolved - mainly to cover recent DevOps-y practices - and are still being used.

Handbook of The Secure Agile Software Development Life Cycle (2014) has one article from me and another article describing prototype Generic Security User Stories that is also mentioned in the stuff below. I am not a huge fan of those prototype stories any more.

Software security in modern software development. This old presentation is DevSecOps in 2014.

Discovering privacy requirements in software development. Again, really old pre-GDPR stuff from OWASP Helsinki / IAPP KnowledgeNet in January 2015, Forum för Dataskydd in Stockholm in February 2015.

Some podcasts that I had the pleasure of appearing on include Tietoturva ohjelmistokehityksessä (Kyberykset, 2018, in Finnish), Electronic Voting & Why it’s So Hard to Get Right (Cyber Security Sauna, 2019), The Cloud: Security Benefits, Risks & Why You Should Use It (Cyber Security Sauna, 2019).