We get many things from whiteboards. One of those is a sense of impermanence – that the work on them is a work in progress. That it’s a sketch, rather than a final product. And I missed whiteboards, so working with my partners at Agile Stationery, we created not only whiteboards, but also stencils to…Read More Stencils and Sketch Books
There’s a threat modeling manifesto being released today by a diverse set of experts and advocates for threat modeling. We consciously modeled it after the agile manifesto and it’s focused on values and principles. Also, there’s a podcast that gives you a chance to listen, behind-the-scenes at The Threat Modeling Manifesto – Part 1.Read More A Threat Modeling Manifesto
I haven’t talked about it much, but I spent the first few months of the pandemic learning how to deliver effective training in a distributed (online) model. I’m really proud that our distributed class NPS customer satisfaction scores are now comparable to our in-person classes. Also it’s been a lot of hard work, and in…Read More Training: Threat Modeling for Security Champions
The reason I hate compliance programs is because they’re lists of things we need to do, and many times, those things don’t seem to make a great deal of sense. In threat modeling, I talk about the interplay between threats, controls, and requirements, and I joke that “a requirement to have a control absent any…Read More A PCI Threat Model
There’s a good, long article at MartinFowler.com “A Guide to Threat Modelling for Developers.” It’s solid work and I’m glad its out there. And I want to do something I don’t usually do, which is quibble with footnotes. Jim writes in footnote 2: Adam Shostack, who has written extensively on threat modelling and has provided…Read More Starting Threat Modeling: Focused Retrospectives are Key
There’s been a lot of talk over the last week about “updating threat models” in light of the Tesla insider story. (For example.) I’m getting this question a fair bit, and so wanted to talk about insiders in particular, and how to use the news in threat modeling more generally. This also is a great…Read More Threat Modeling, Insiders and Incentives
The Elevation of Privilege game has had way more staying power than I would have expected. But the online experience in this time of global pandemic has left out some of the magic that made it work. So I was really skeptical when Simon Gibbs from Agile Stationery mailed me about an approach to playing…Read More Elevation of Privilege In The Time of Cholera
So Chris Romeo has a blog post, “Threat modeling: better caught than taught.” In it, he advocates for threat modeling being a skill passed on informally. And, like many things in threat modeling, that’s attractive, sounds fun, and is utterly wrong. Let’s threat model this: What are we working on? Scaling threat modeling across all…Read More Better Taught Than Caught!
I have something to disclose: the release of my new course on information disclosurehas just launched on Linkedin! 🎉🥂 To celebrate, I’ve made it easier to disclose the contents by making it free for you link here Please help me disclose this information to the world!Read More Information Disclosure In Depth!
At the Biohacking Village at Defcon, there was an interesting talk on Includes No Dirt threat modeling. I thought this slide was particularly interesting. As threat modeling moves from an idea through pilots and deployments, and we develop the organizational disciplines of threat modeling, the question of ‘when do we do this’ comes up. There’s…Read More When to Threat Model