Marco Mirko Morana

Marco Mirko Morana

My career in cyber-security spans more than 20 years working in different roles and industry sectors. As a author, besides co-authoring the book on risk centric threat modelling I wrote a book on application security risk management for CISOs and several white papers covering application and software security topics.

Building Secure Foundations: Reflections on Security Engineering

About Me

Hi, I’m Marco Morana. Much of my work revolves around a simple but fundamental question: how can we design systems that are secure from the start—before attackers have the opportunity to exploit them? That question has shaped the way I approach security architecture, threat modeling, and risk management throughout my career. Today, I’m the Founder of Threat Modeling Academy LLC, where I deliver conference talks, executive briefings, and instructor-led training programs focused on threat modeling, secure architecture, and the security challenges surrounding emerging technologies. In parallel, I serve as a consulting Field CISO for Avocado Systems, a company building runtime threat modeling and security automation tools that help organizations understand risk in real time. Over the past 20+ years, I’ve worked across the financial sector in senior security roles at organizations such as JPMorgan Chase and Citigroup, helping teams secure large-scale financial platforms, digital assets, and emerging distributed technologies. Those experiences shaped the way I approach security today: not as a checklist, but as an architectural discipline that must be built into systems from the start.

Along the way I’ve also been fortunate to contribute to the broader security community. I helped develop the PASTA threat modeling methodology and authored the book Blockchain Application Security: How to Design Secure and Attack‑Resilient Blockchain Applications. I also co-lead the development of the OWASP AI Testing Guide, which is helping practitioners bring structured security testing and threat modeling to modern AI systems. Through Threat Modeling Academy, I focus on helping CISOs, security architects, and engineering teams translate complex security frameworks into practical, real-world approaches. My training programs and talks cover everything from cloud and API architectures to blockchain ecosystems, DeFi platforms, and AI-driven applications, always with a strong emphasis on security-by-design. I’m also an active contributor to the global security community through OWASP initiatives, mentorship, and industry collaboration, and I continue to explore how new technologies—from AI to decentralized systems—can be adopted securely and responsibly.

Security by Design as a Risk Management Strategy

For me, Security by Design is not simply a development practice—it is a leadership approach to managing technology risk. Effective security begins at the architectural level, where design decisions determine how systems behave under stress, misuse, or attack. When security considerations are introduced early in the design process, organizations can move from reactive controls to proactive risk management embedded directly into system architecture. In practice, this means ensuring that security controls are consistently mapped across all architectural layers, from infrastructure and application components to APIs and data flows. Understanding how information moves through a system—who accesses it, where it is stored, and how it is protected—is essential to safeguarding sensitive assets through mechanisms such as strong authentication, access controls, encryption, and secure design patterns.

One of the most effective tools for achieving this alignment is threat modeling at the architecture stage. By analyzing potential attack paths before systems are implemented, teams can identify structural weaknesses early and make informed design decisions that reduce systemic risk. Addressing these issues during the design phase significantly lowers remediation costs and strengthens the resilience of the final system. Ultimately, security must function as an enabler of innovation, not an obstacle to it. Organizations that embed security into their architecture and development practices are better positioned to adopt new technologies with confidence while maintaining strong governance and risk oversight.

Building Security on Engineering Foundations

Beyond cybersecurity practices and operational controls, a strong foundation in application security and security architecture can be grounded in broader engineering principles. These principles emphasize structured problem solving, analytical reasoning, and systematic approaches to managing complexity—capabilities that are essential when designing secure systems in modern technology environments. In this context, security architecture and vulnerability management benefit from the same rigor traditionally applied in engineering disciplines: the use of risk-based analysis, modeling techniques, and structured evaluation of system behavior under adversarial conditions. Applying these methods allows security professionals to move beyond reactive vulnerability remediation and toward a more disciplined practice of anticipating, modeling, and mitigating potential threats at the architectural level.

Through practical experience designing and securing complex platforms, I have learned to apply these engineering-driven approaches to the protection of emerging technology ecosystems, including distributed systems and blockchain-based infrastructures. Such environments introduce new architectural paradigms—decentralized trust models, programmable digital assets, and autonomous protocols—which require security practitioners to adapt traditional risk analysis and threat modeling methods to novel technological contexts. By combining engineering discipline, security architecture practices, and risk management frameworks, it becomes possible to build security strategies that not only address known vulnerabilities but also provide a structured methodology for evaluating and securing innovative platforms as they evolve.

Engineering Roots: From Space Systems to Secure Systems

My passion for research and scientific inquiry has shaped my professional path from the very beginning. Early in my career, I worked in aerospace engineering, contributing to the design and engineering of a satellite that flew aboard the Tethered Satellite System mission, a joint program sponsored by NASA and the Italian Space Agency, and deployed from the Space Shuttle. Working on space systems provided an early exposure to highly complex engineering environments where reliability, systems thinking, and rigorous analysis were essential.Over time, my research interests gradually expanded from aerospace engineering toward information security and secure systems design. This transition also took place during my work at NASA, where I contributed to the development of a secure email system for space mission communications. For this work, I received a formal recognition for a technological contribution whose creative development supported and advanced aerospace and aeronautical activities. The experience marked an important turning point in my career, reinforcing my interest in the intersection between engineering disciplines and secure computing systems.

Since then, I have continued to approach cybersecurity challenges with a research-driven methodology, combining analytical reasoning, experimentation, and continuous learning to develop evidence-based security practices. Staying informed about emerging technologies—and understanding the engineering principles behind them—allows me to evaluate both their opportunities and their risks with greater depth. My scientific curiosity extends well beyond cybersecurity. I maintain a strong personal interest in fields such as astrophysics, aerospace systems, and mechanical engineering, disciplines that emphasize systems thinking and scientific rigor. This blend of research curiosity and practical engineering perspective continues to shape how I approach security architecture, threat modeling, and risk management, particularly when evaluating and securing emerging technologies.

Training & Mentorship

Training and mentorship are central to my professional identity. Throughout my career, I have been committed to helping develop the next generation of engineers, architects, and security professionals by sharing practical knowledge and fostering a culture of continuous learning. I have designed and delivered training programs on threat modeling, secure architecture, and application security, and have helped organizations establish security champions programs that empower engineering teams to integrate security practices directly into their development workflows. These initiatives are intended not only to transfer technical skills, but also to encourage a deeper understanding of security as a collaborative and ongoing discipline.

Mentorship has also been an important component of my leadership approach. In building and leading global security teams, I have focused on creating environments that support professional growth, engagement, and innovation. By encouraging knowledge sharing, cross-disciplinary collaboration, and curiosity about emerging technologies, I aim to help individuals expand their capabilities and contribute meaningfully to the advancement of cybersecurity. Ultimately, investing in people—through training, mentorship, and collaborative learning—is one of the most effective ways to strengthen both organizations and the broader security community.

Rethinking Software Security for the Next Generation of Systems

Looking back over the course of a career, it becomes clear that the connections between experiences often reveal themselves only in hindsight. Reflecting on this journey, I shared some early thoughts on the future of software security several years ago in this blog More than twenty years later, that conviction remains central to my work. I continue to believe strongly in embedding security research and risk management principles at the core of software engineering and system design. Despite the rapid evolution of technology—including transformative developments such as artificial intelligence and blockchain—the fundamental challenge of building secure systems has not changed.

Today, security professionals—whether consultants, security architects, heads of application security, or CISOs—must continuously revisit and reinvigorate the principles of security by design. The foundational ideas behind secure software development remain as relevant as ever, and our responsibility is to apply them thoughtfully to new technological paradigms in order to address the enduring problem of insecure software, products, and digital services.