threat modeling

Post thumbnail

There are a couple of new, short (4-page), interesting papers from a team at KU Leuven including: Knowledge is Power: Systematic Reuse of Privacy Knowledge for Threat Elicitation A Comparison of System Description Models for Data Protection by Design What makes these interesting is that they are digging into better-formed building blocks of threat modeling,…

Read More Testing Building Blocks

There’s a great post from my friends at Continuum, “Three Killer Arguments for Adopting Threat Modeling. Their arguments are “Threat Modeling Produces Measurable Security,” “Threat Modeling Done Right Encourages Compliance,” and “Threat Modeling Saves You Money.” (Actually, they have 6.)

Read More 3 Arguments for Threat Modeling

Post thumbnail

I’m quite happy to say that my next Linkedin Learning course has launched! This one is all about spoofing. It’s titled “Threat Modeling: Spoofing in Depth.” It’s free until at least a week after RSA. Also, I’m exploring the idea that security professionals lack a shared body of knowledge about attacks, and that an entertaining…

Read More Spoofing in Depth

Post thumbnail

Chris Eng said “Someone should set up a GoFundMe to send whoever wrote the hit piece on password managers to a threat modeling class.” And while it’s pretty amusing, you know, I teach threat modeling classes. I spend a lot of time crafting explicit learning goals, considering and refining instructional methods, and so when a…

Read More What Should Training Cover?

Post thumbnail

Omer Levi Hevroni has a very interesting post exploring ways to represent threat models as code. The closer threat modeling practices are to engineering practices already in place, the more it will be impactful, and the more it will be a standard part of delivery. There’s interesting work in both transforming threat modeling thinking into…

Read More Threat Modeling as Code