threat modeling

The reason I hate compliance programs is because they’re lists of things we need to do, and many times, those things don’t seem to make a great deal of sense. In threat modeling, I talk about the interplay between threats, controls, and requirements, and I joke that “a requirement to have a control absent any…

Read More A PCI Threat Model

Post thumbnail

The Elevation of Privilege game has had way more staying power than I would have expected. But the online experience in this time of global pandemic has left out some of the magic that made it work. So I was really skeptical when Simon Gibbs from Agile Stationery mailed me about an approach to playing…

Read More Elevation of Privilege In The Time of Cholera

Post thumbnail

At the Biohacking Village at Defcon, there was an interesting talk on Includes No Dirt threat modeling. I thought this slide was particularly interesting. As threat modeling moves from an idea through pilots and deployments, and we develop the organizational disciplines of threat modeling, the question of ‘when do we do this’ comes up. There’s…

Read More When to Threat Model