Get ready for the second ThreatModCon - now global with our first-ever Europe edition. Early bird tickets on sale now.
Hackathon is back. Join global threat modelers to tackle AI challenge & win! 🏆 Register by March 22.
Delve into the non-keynote keynote, ten expert talks, two hands-on workshops, the Adam Shostack award (wow!), and more.
This article is co-authored by Nick Kirtley and Michael Bernhardt, who met at ThreatModCon 2023 and started this exercise of define the value of threat modeling. This post marks the beginning of an iterative process aimed at refining the framework.Nick and Michael would love to hear your thoughts! Your input is super important as they keep refining the framework. Whether you have questions, ideas, thoughts, or feedback, feel free to leave them in the comments below! 😊How does the application of Threat Modeling compare to Penetration Testing? How can we Define the ROI for Threat Modeling? Aspects to consider when aiming to define the value of Threat Modeling Defining the value of proactively resolving issues Defining the Value of Preventing a Successful Breach Defining the Value of Preventing Reputational and Regulatory Impact Conclusion Comments, questions, or feedback?It’s now been more than 15 years since a cohort of Microsoft thought leaders and Threat Modeling being applied by
What is the best way to store and reuse the existing threat models.Confluence , SCM …??
Starting threat modeling can be daunting. How do you navigate the maze of scoping without succumbing to scope creep? Defining the scope is a balancing act that is an art as much as a science. Join Robert Hurlbut as he unveils key strategies and tactics honed through years of experience implementing the Threat Modeling Program at Bank of America, involving 40,000 developers, over 10,000 products, and 1,500+ threat models. Slideshttps://4550632.fs1.hubspotusercontent-na1.net/hubfs/4550632/Threat%20Modeling%20Connect/Meetups/Scoping_for_Threat_Modeling_Robert_Hurlbut_.pdfSpeakerRobert HurlbutPrincipal Application Security Architect / Threat Modeling LeadAquia Inc
Hi All;One of the issues that I run into constantly with threat modeling is the noise level. That is to say, many false positives.One way to look at this, I suppose, is that these false positives are an indication that you’ve cast a wide enough net.But this leads to hours tracking down the justification to write off these NA threats.(These false positives may also tend to overwhelm developers who are new to threat modeling - it is difficult to convince them that threat modeling works when they have to spend so much time weeding out the junk.) I tend to think that the answer to this is “better data”. However, given that threat modeling is *ideally* done as early in the SDLC as possible, when quality/rich/complete design data may not yet be available, how can one mitigate these false positives, and tune threat modeling to achieve higher quality, less noisy results? Looking for ideas here…thanks,-Bill
A round of applause for @Dave (Dave Soldera), who delivered an exceptional presentation at our Community Meetup last month! We'd also like to extend a heartfelt shoutout to @Robin (Robin Ninan) for his engaging facilitation, ensuring the conversation flowed seamlessly.In case you missed the session or wish to relive the valuable insights, the recording is available. Additionally, you can find the presentation slides and templates referenced by Dave during the session in the article below:We received an abundance of questions during the Q&A. While we couldn't address all of them due to time constraints, fear not! Get ready as Dave takes on these unanswered questions right here:Q: How much time do you typically spend for threat modeling an average-size app/service? Q: At what point in time during threat modeling process, would you recommend reviewing the effectiveness and value of the “consistency” and modify it for better results? Q: How do you avoid duplicating efforts between the
We’re delighted to kick off the Call for Papers (CfP) for ThreatModCon Lisbon 2024, and we want YOU to be a part of the journey!Conference Theme: Advancing Threat Modeling Capabilities TogetherAt the heart of ThreatModCon, our mission is to collectively push the boundaries of threat modeling. Your unique insights are the key to making this vision a reality. We’re eagerly looking for contributions across a spectrum of topics, including, but not limited to:Threat Modeling Methodologies and Frameworks Threat Modeling Techniques and Open Source Tools Uses of Machine Learning and AI for Threat Modeling Security Design Patterns Privacy and Data Protection Considerations in Threat Modeling Risk Analysis, Prioritization, and Management Training and Awareness for Threat Modeling Case Studies, Best Practices, and Lessons Learned The Role of Standards, Guidelines, and Regulations in Threat Modeling Integration of Threat Modeling into DevSecOps and Agile Development New category: Threat Modeling R
The Call for Presentations (CfP) for ThreatModCon Lisbon opens now through March 1, 2024. Submit your proposal »We're thrilled to share that in 2024, ThreatModCon is coming at you with a double dose of impact. Join us in Lisbon on June 29th, and later in San Francisco on September 28th. Following the success of our inaugural ThreatModCon in Washington DC last year, we're expanding to bring you two premier editions of the world's only Threat Modeling Conference. Mark your calendars for an insightful journey ahead!Why Attend?ThreatModCon 2024 Lisbon and SF are more than just conferences; they are hard-core threat modeling feasts where your interactions have the power to inspire, elevate, or even transform your path in cybersecurity. With two outstanding locations on June 29th and September 28th, respectively, you can choose the experience that suits you best.What to ExpectImmersive Learning Experience: Delve into a diverse range of threat modeling topics with engaging talks by industry
OverviewThreat modeling is a way of thinking about what can go wrong and how to prevent it. Instinctively, we all think this way in regard to our own personal security and safety. When it comes to building or evaluating information systems, we need to develop a similar mindset - a Threat Modeling Mindset.OutlineUnderstanding a system Identifying threats and vulnerabilities Determining mitigations Applying the mitigations through risk management Slideshttps://4550632.fs1.hubspotusercontent-na1.net/hubfs/4550632/Threat%20Modeling%20Connect/ThreatModCon/ThreatModCon2023%20Slides/ThreatModCon2023-Developing_Threat_Modeling_Mindset_Workshop_RobertHurlbut.pdfHandouthttps://4550632.fs1.hubspotusercontent-na1.net/hubfs/4550632/Threat%20Modeling%20Connect/ThreatModCon/ThreatModCon2023%20Slides/ThreatModCon2023-Developing_Threat_Modeling_Mindset_Handout_RobertHurlbut.pd About the speakerRobert Hurlbut is a Principal Application Security Architect / Threat Modeling Lead at Aquia, Inc. Robert
OverviewExplore how to evolve threat models in sync with the ever-changing cloud landscape. This talk emphasizes shifting from static to dynamic threat models and proactive responses to cloud updates. Gain insights into threat minimization, stay abreast of cloud changes, and enhance your threat modeling.OutlineProvide data on the rate of change of not only cloud providers like AWS, Azure, GCP but also SaaS providers. Give examples of how this introduces both better new controls for existing threats (yay!) but also new threats (boo!) Provide approaches for how to stay effectively up to date without being overwhelmed Discuss methods to triage this information so you don't lose velocity in your team Demonstrate workflows that enable your threat models to move from static to dynamic. Slideshttps://4550632.fs1.hubspotusercontent-na1.net/hubfs/4550632/Threat%20Modeling%20Connect/ThreatModCon/ThreatModCon2023%20Slides/ThreatModCon2023_%20Cloud_Continuous_Modelling_TysonGarrett.pdf About the
OverviewThe security community is great at finding problems! We can use threat modeling in a real world "system": our community. We'll see how it can be abused or exploited, focusing on social conflicts in a vulnerable community. Importantly, we’ll talk about what we should do to build a safer community.Outline Intro to Threat Modeling - From My Perspective A different interpretation of STRIDE What is a ""community""? / Modeling a community A Model of Social Threats Countermeasures Calls to Action Summary Slideshttps://4550632.fs1.hubspotusercontent-na1.net/hubfs/4550632/Threat%20Modeling%20Connect/ThreatModCon/ThreatModCon2023%20Slides/ThreatModCon2023_TheThreatstoOurCommunity_AviDouglen.pdf About the speakerAviD has been building applications for security for decades, and is obsessed with maximizing value output from security efforts since originally building threat models at Microsoft over 15 years ago. Avi is the founder and CEO of Bounce Security, a boutique consulting agency d
Share your insights and passion for threat modeling by giving a talk, contributing an article, or facilitating our upcoming events.
A free threat modeling automation tool created by IriusRisk
A guideline on the core values and principles of threat modeling
A documentation project focusing on threat modeling techniques
Already have an account? Login
Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.
Sorry, our virus scanner detected that this file isn't safe to download.