There’s a good, long article at MartinFowler.com “A Guide to Threat Modelling for Developers.” It’s solid work and I’m glad its out there. And I want to do something I don’t usually do, which is quibble with footnotes. Jim writes in footnote 2: Adam Shostack, who has written extensively on threat modelling and has provided…Read More Starting Threat Modeling: Focused Retrospectives are Key
There’s been a lot of talk over the last week about “updating threat models” in light of the Tesla insider story. (For example.) I’m getting this question a fair bit, and so wanted to talk about insiders in particular, and how to use the news in threat modeling more generally. This also is a great…Read More Threat Modeling, Insiders and Incentives
Phil Venables is one of the more reflective and thoughtful CSOs out there, and in this era where everything is a tweet or a linkedin post (sigh) you may have missed that Phil has a blog. This Labor day, why not take the time to catch up on his writing?Read More Phil Venables Blogging
Mark Rasch, who created the Computer Crime Unit at the United States Department of Justice, has an essay, “Conceal and Fail to Report – The Uber CSO Indictment.” The case is causing great consternation in the InfoSec community partly because it is the first instance in which a CSO or CISO has been personally held…Read More The Uber CSO indictment
This is a really interesting podcast interview with Sidney Dekker, who’s one of the most important thinkers in safety. The Jay Allen Show on Safety. (Fast forward through the first 3 minutes, the content is quite interesting.) Particularly interesting is his discussion of some ‘best practices’ which come out of a poorly supported chain of…Read More Podcast with Sidney Dekker
The Elevation of Privilege game has had way more staying power than I would have expected. But the online experience in this time of global pandemic has left out some of the magic that made it work. So I was really skeptical when Simon Gibbs from Agile Stationery mailed me about an approach to playing…Read More Elevation of Privilege In The Time of Cholera
These are the books that I read in Q2 2020 that I think are worth your time. Sorry it’s late. They’re still worthwhile. 🙂 Cyber You’ll See This Message When It Is Too Late, by Josephine Wolff. This is an interesting examination of the effects of finger-pointing and blame avoidance on the cybersecurity landscape, with…Read More Worthwhile books Q2 2020
So Chris Romeo has a blog post, “Threat modeling: better caught than taught.” In it, he advocates for threat modeling being a skill passed on informally. And, like many things in threat modeling, that’s attractive, sounds fun, and is utterly wrong. Let’s threat model this: What are we working on? Scaling threat modeling across all…Read More Better Taught Than Caught!
I have something to disclose: the release of my new course on information disclosurehas just launched on Linkedin! 🎉🥂 To celebrate, I’ve made it easier to disclose the contents by making it free for you link here Please help me disclose this information to the world!Read More Information Disclosure In Depth!
I’ll be speaking at the MDIC’s Annual Public Forum today, discussing how threat modeling helps bring maturity to the medtech sector. Join us shortly!Read More MDIC Annual Public Forum