Date Flow Diagram (DFD) is a common approach to threat modeling. But some ended up getting too complex to comprehend. Do you use DFD or not? If not, what else do you use?
hi folks! I wanted to share a blog post, C2PA Threat Modeling, and get thoughts on a question: Did they do a good job?Threat modeling for an industry standard is different than threat modeling for a thing you’re building for internal use, which is different than threat modeling for an API or a platform. One of my key goals in my Threat Modeling Thursday blogs is that no one should ever wince because I’m going all Gordon Ramsey on them. So while I intentionally accentuate the positive, I’m curious: what else can we learn by looking at their work?
Hi - first post here.I’ve been using STRIDE for some time. Heard for the first time about “STRIDE-LM” at ThreatModCon23 but was not able to pin down its definition. I’ve since heard two possible definitions: LM = Lateral Movementor LM = Leaking, Masquerading Is there any consensus and does anyone know the origins of this addition/extension to the classic STRIDE?Thanks,-Bill
Hi All;One of the issues that I run into constantly with threat modeling is the noise level. That is to say, many false positives.One way to look at this, I suppose, is that these false positives are an indication that you’ve cast a wide enough net.But this leads to hours tracking down the justification to write off these NA threats.(These false positives may also tend to overwhelm developers who are new to threat modeling - it is difficult to convince them that threat modeling works when they have to spend so much time weeding out the junk.) I tend to think that the answer to this is “better data”. However, given that threat modeling is *ideally* done as early in the SDLC as possible, when quality/rich/complete design data may not yet be available, how can one mitigate these false positives, and tune threat modeling to achieve higher quality, less noisy results? Looking for ideas here…thanks,-Bill
One question I am often asked by the many organizations I work with is where do I begin ? How do I get started Threat Modeling? What do I Threat Model, and what do I need to be concerned with? As with everything you do, you must be willing to take the first step. Taking on a new challenge is often very intimidating and the fear of failure is real. My advice is to start with the smallest, most simple application or workflow you have. Keep your model small and specific to a singular process. If you identify 1 new threat today, then you have accomplished something significant. I also encourage people to not take this task on by themselves. Threat Modeling is a collaborative process. No one know everything, so leverage the knowledge of your teams. And because you have kept your model compartmentalised, your collaborators will not feel overwhelmed. Finally, I highly encourage people to move the process of Threat Modeling left. By this I mean, start the process very early in the software de
They say a picture is worth a thousands words and so including some kind of diagram in your threat modelling process likely aids in understanding the system being threat modelled. But some diagrams can end up looking like “spaghetti and meatballs”, depending on the complexity of the system.I thought would be interesting to take the pulse of the community on this topic, so we can better understand what approaches are being used.Note, if your threat modelling approach uses lots of diagrams, perhaps just answer for the scenario where you were forced to choose just one.
I'd like to discuss about how organizations can introduce security in organizations and be adapted to the ever-changing cybersecurity landscape while maintaining seamless operations.What are some of the significant challenges that you faced to 'scale' security, and how did you address them? 🤔
About this workshopIn this workshop, you’ll learn the basics of threat modeling and apply the knowledge to create a threat model following six steps right in a spreadsheet. The six-step spreadsheet template is based on the STRIDE framework, one of the most popular security threat modeling methodologies.Agenda Recording Template, Written Guide, Slide Deck About the workshop leaderAgenda Introduction to Threat Modeling What’s threat modeling Threat Modeling classification: STRIDE Threat Modeling elements Threat Modeling process: the four-question framework Applying STIDE to Threat Modeling elements Cloud Threat Modeling Demo: using the six-step spreadsheet template to create a threat model for a two-tier web application Recording Template, Written Guide, Slide DeckTemplate: https://docs.google.com/spreadsheets/d/1AbouySzNorXs7sXwnMkZYkGdWeKESnJtKK_JfiTXBIE/edit?usp=sharing Written guide for how to use this template Slide deck in the attachment About the w
Can you share the link to how to join this meeting ? I only see Continuous Security: Leverage Incremental Threat Modeling this link but it does not show how to join the meeting
About this time last year, Threat Modeling Connect was born. With a mission to bring threat modeling to everyone, we are a community that brings like-minded individuals to learn, share, and collaborate on their threat modeling journeys. It was hard to believe within less than a year, we launched ThreatModCon - the first and only Threat Modeling Conference in the industry.It was an absolute blast seeing our community come together for a day of threat modeling feast. We wanted to give you a quick rundown of all the awesomeness that went down at this event!With a completely sold-out event, we entered the conference with a packed house and over 130 threat modeling practitioners from all over the world. We had two tracks with 12 mind-blowing sessions covering everything from the purpose and scope of threat modeling to the technical nitty-gritty. It was a deep dive into the art and science of threat modeling. But it wasn't just about the sessions. ThreatModCon 2023 was all about building con
Greetings ThreatModelingConnect Community, ThreatModCon 2023 is fast approaching (https://www.threatmodelingconnect.com/events/threatmodcon-2023-38)! As part of the conference, we're planning to host several Birds of a Feather (BoF) sessions during lunch. For those unfamiliar, BoF sessions are informal gatherings of like-minded individuals to discuss topics or common issues encountered without a pre-planned agenda. We wanted to reach out to the community for feedback on what topics/issues you would be interested in discussing at ThreatModCon 2023.
A guideline on the core values and principles of threat modeling
A documentation project focusing on threat modeling techniques
A free threat modeling automation tool created by IriusRisk
Already have an account? Login
Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.