Post thumbnail

As we look at what’s happened with the Russian attack on the US government and others via Solarwinds, I want to shine a spotlight on a lesson we can apply to threat modeling. An example of asset-driven thinking leads the article Hack may have exposed deep US secrets; damage yet unknown. And I don’t want…

Read More The Asset Trap

[Update: 3 comments] Fireeye’s announcement of their discovery of a breach is all over the news. The Reuters article quotes a ‘Western security official’ as saying “Plenty of similar companies have also been popped like this.” I have two comments. First, it’s easy for anyone to label attackers “sophisticated.” Fireeye certainly has more data and…

Read More Fireeye Hack & Culture

As we launched the threat modeling manifesto, we ran into some trouble with TLS. Some of you even reported those troubles, by saying “it’s not working.” Thanks. That’s so helpful. Sarcasm aside, there’s a basic form to a helpful bug report: “I did A, and observed B.” If you want to make it really useful,…

Read More It’s Not Working!

Post thumbnail

There’s a threat modeling manifesto being released today by a diverse set of experts and advocates for threat modeling. We consciously modeled it after the agile manifesto and it’s focused on values and principles. Also, there’s a podcast that gives you a chance to listen, behind-the-scenes at The Threat Modeling Manifesto – Part 1.

Read More A Threat Modeling Manifesto