Post thumbnail
On Linkedin, Peter Dowdall had a very important response to my post on remote threat modeling. Because comments on Linkedin are a transient resource, I’m going to quote heavily: The team here ran a session with people in the same room using Miro (maybe 1 remote) and we found it stripped the barriers of either…
Read More Power Dynamics in Threat Modeling
Post thumbnail
Practicing physical distancing has already dramatically changed how we work, and will continue to do so. Being physically distant means we can’t use a whiteboard to help us talk through “what are we working on?” There are technical facets of threat modeling, like using visual models to show and scope “what are we working on?”…
Read More Answering “What Are We Working On” When Remote
Post thumbnail
Threat modeling figures heavily in the FDA’s thinking. It’s been part of the first cybersecurity pre-market guidance, it was a big part of the workshop on ‘content of premarket submissions,’ etc. There have been lots of questions about how to make that happen. I’ve been working with the FDA and the MDIC, and we have…
Read More Medical Device Threat Modeling
Post thumbnail
This post comes from a conversation I had on Linkedin with Clint Gibler. He wrote: One challenge I’ve heard from a number of companies is that, with say 3-5 AppSec engineers supporting 500 – 1000 devs, you can’t TM every story, or even every epic. So what do you focus on? The high risk /…
Read More Threat Modeling with Questionnaires
Post thumbnail
The current situation is scary and anxiety-provoking, and I can’t do much to fix that. One thing I can do is give people a chance to learn, and so I’m making my Linkedin Learning classes free this week. (I’m told that each class is free for the day, so you’ll need to watch each within…
Read More Free Threat Modeling Training
Post thumbnail
Amazon has released a set of documents, “Updates to Device Security Requirements for Alexa Built-in Products.” I want to look at these as a specific way to express a threat model, which is threat modeling along the supply chain, talk about the proliferation of this different kind of model, and what it means for engineering.…
Read More Amazon’s “Alexa Built-in” Threat Model
Post thumbnail
At Blackhat this summer, I’ll be offering threat modeling training at Blackhat. Last year, these sold out quickly, so don’t wait! This hands-on, interactive class will focus on learning to threat model by executing each of the steps. Students will start threat modeling early on day 1, followed by an understanding of traps that they…
Read More Threat Modeling Training at Blackhat 2020
Post thumbnail
The Berryville Institute of Machine Learning (BIML) has released “An Architectural Risk Analysis of Machine Learning Systems.” This is an important step in the journey to systematic, structured, and comprehensive security analysis of machine learning systems, and we can contrast it with the work at Microsoft I blogged about last month. As always, my goal…
Read More Threat Model Thursday: BIML Machine Learning Risk Framework
Post thumbnail
My course, “Repudiation in Depth” is now live on Linkedin Learning. This is the fourth course I’ve created, starting with “Learning Threat Modeling“, and courses on “spoofing“, “tampering“, and now, repudiation. (You can probably see where this is going, and I’m making great strides towards the goal. Sorry not sorry.) I’d say it’s not my…
Read More Repudiation Now Live on Linkedin LearningFor reasons I can’t quite talk about yet, this has been a super busy time, and I look forward to sharing the exciting developments that have kept me occupied. In the meantime, my friends at Agile Stationery have transcribed a talk that Mark Vinkovits and I gave at AppSec Cali last year. Their posts are…
Read More Threat Model Thursday: Games