Effective appsec emerges from DevSecOps tactics like feedback loops, automation, and the flexibility to respond to situations quickly. These tactics emphasize process and tools, sometimes neglecting the knowledge and skills of working with others to build and maintain apps. And the solutions they strive for don’t always catch the importance of how different users can have different threat models. On the technology side of appsec we have clouds, top 10 lists, and tools. But we haven’t built up equivalent resources, references, or models for the people we build apps with and who we build them for. This presentation dives into specific techniques and references for working with people and building threat models that go beyond basic technical concerns. Tabletop role-playing games are a great model for understanding and building skills that are important to DevSecOps teams. They encourage communication, collaboration, and the achievement of shared goals. And they also face the same challenges in solving conflicts, avoiding derailing behaviors, and ensuring everyone participates. Come discover how RPGs can positively influence your security teams. Security is an integral part of DevSecOps. And, yes, it’s made of people.