Shostack + Friends Blog

When to Threat Model

A talk from the Biohacking Village at DefCon brought up a good point. screenshot from virtual talk discussed in the article

At the Biohacking Village at Defcon, there was an interesting talk on Includes No Dirt threat modeling. I thought this slide was particularly interesting. As threat modeling moves from an idea through pilots and deployments, and we develop the organizational disciplines of threat modeling, the question of 'when do we do this' comes up. There's good appsec focused answers like 'every sprint', or 'in line with your waterfall, but those answers aren't universal. For example, they don't help when you're thinking about your supply chain.

The talk by William Dogherty and Patrick Curry (shown) covers a lot of these organizational discipline factors, and this slide appears about 53 minutes in. The whole talk is worth watching.

My previous discussion of the approach overall is in Includes No Dirt: Healthcare Threat Modeling.

Originally published by Adam on 12 Aug 2020
Categories: threat modeling

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The ATOM feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.