Post thumbnail
I am very excited to announce that Linkedin Learning has released “Threat Modeling: Denial of Service and Elevation of Privilege.” This is the sixth course I’ve done with them, and completes a cycle which starts with “Learning Threat Modeling for Security Professionals,” and then steps through each of the STRIDE threats in depth. (We combined…
Read More Linkedin Learning
Post thumbnail
Abhay Bhargav has a really excellent post on Better OKRs for Security through Effective Threat Modeling. I really like how he doesn’t complain about the communication issues between security and management, but offers up a concrete suggestion for improvement. Key quote: “Effective Threat Modeling by itself can ensure that your OKRs and AppSec Program are…
Read More “Better OKRs Through Threat Modeling”
Post thumbnail
For Data Breach Today, I spoke with Anna Delaney about threat modeling for issues that are in the news right now: “Does your organization have a plan in place if one of your employees is accused via Twitter of being an insurrectionist? If your software was being used to spread plans for a riot, could…
Read More Threat Modeling and Social Issues
Post thumbnail
I’m very excited that Gary McGraw is joining the Irius Risk Technical Advisory Board as board chair. Gary’s a pioneer in software security, and his work in machine learning was my choice to kick off blogging 2020.
Read More Irius Risk & Gary McGraw
Post thumbnail
As we look at what’s happened with the Russian attack on the US government and others via Solarwinds, I want to shine a spotlight on a lesson we can apply to threat modeling. An example of asset-driven thinking leads the article Hack may have exposed deep US secrets; damage yet unknown. And I don’t want…
Read More The Asset TrapI had not seen Threat modelling at the FT. In in Lisa Fiander and Costas K share their experiences with Elevation of Privilege played remotely. It’s a pleasant surprise to see how well EoP works in this remote world. I’d written about and then done a session with Agile Stationery; seeing independent reports is great!
Read More Elevation of Privilege In a Time of Cholera, Redux
Post thumbnail
We get many things from whiteboards. One of those is a sense of impermanence – that the work on them is a work in progress. That it’s a sketch, rather than a final product. And I missed whiteboards, so working with my partners at Agile Stationery, we created not only whiteboards, but also stencils to…
Read More Stencils and Sketch Books
Post thumbnail
There’s a threat modeling manifesto being released today by a diverse set of experts and advocates for threat modeling. We consciously modeled it after the agile manifesto and it’s focused on values and principles. Also, there’s a podcast that gives you a chance to listen, behind-the-scenes at The Threat Modeling Manifesto – Part 1.
Read More A Threat Modeling Manifesto
Post thumbnail
I haven’t talked about it much, but I spent the first few months of the pandemic learning how to deliver effective training in a distributed (online) model. I’m really proud that our distributed class NPS customer satisfaction scores are now comparable to our in-person classes. Also it’s been a lot of hard work, and in…
Read More Training: Threat Modeling for Security ChampionsThe reason I hate compliance programs is because they’re lists of things we need to do, and many times, those things don’t seem to make a great deal of sense. In threat modeling, I talk about the interplay between threats, controls, and requirements, and I joke that “a requirement to have a control absent any…
Read More A PCI Threat Model