iriusrisk-en Logo
  • Welcome
      • Recently active topics
      • Unanswered questions
      • Forum
      • Welcome & Announcements7
      • General Discussion31
      • Welcome to the resource hub
      • Resources
      • Guides4
      • Articles11
  • Events
  • Groups
Logo

What does a mature security champion program look like?

(Fri, 24 Mar, 15:00)

Upcoming event

Latest article

Featured discussions

  • Recent activity
  • Categories
hacxys
hacxysNew Participant
 General Discussion

Questions on threat modelling

1)How to Integrate threat modelling into jira work flows?2)How/where to store the threat models so that can be easily be reviewed for future reference?In my experience diagrams/pdfs become obsolete and no one views them in the future?3)How to ensure all threats are covered ? How to know that we have threat modelled enough?4)How is threat modelling  different from a secure design review ?

0
hacxys
12 minutes ago
izar
izarParticipating Frequently
 General Discussion

I'm Izar Tarandach - and if you have questions, I may have answers!Q&A

Hi everyone, I’m Izar Tarandach, a Sr Staff Engineer at Datadog these days helping develop security products. Previously, I helped Squarespace, Autodesk, DellEMC RSA, IBM, and Bridgewater Associates design and implement product- and enterprise-wide security solutions, offering guidance in the design and implementation of secure systems and products.I’m also a co-author of "Threat Modeling: A Practical Guide for Development Teams", O'Reilly with Matthew Coles, and part of the "Threat Modeling Manifesto" band. I wrote the Continuous Threat Modeling Handbook and lead the OWASP pytm project, the first (I think!) threat-model-with-code framework out there.Currently I am looking into the bridge between Observability and Security. I’m excited to talk about that, secure development and engineering, threat modeling, careers in cybersecurity, Threat Modeling Manifesto, my favorite movies, dogs, what is that funny fish and anything in between.How it works: Add your questions below any time before

30920
Brook Schoenfield
5 days ago
Shuning
ShuningCommunity Manager
 Welcome & Announcements

Meet & Greet Your Peers 🤗

Hello, hola, hallo, guten tag, bonjour, shalom…community!One of the most exciting parts of your journey in Threat Modeling Connect is the opportunity to meet and work closely with the best and brightest (and kindest!) threat modeling professionals around the world. Let’s greet each other and share:Where you work, live, and your current role Your threat modeling experience, challenges, expertise - whether you’re just beginning or further down the journey, we’d love to hear more of your story Where we can find you if you’re not threat modelingWe’ll get to know each other more along the way. This is just the beginning of something great :)

29
Shuning
7 days ago
Michael Bernhardt
Michael BernhardtParticipating Frequently
 Articles

Selling the “Yellow Cow”: How to Sell Threat Modeling to Your Leadership Team Beyond Its Security BenefitsArticle

The Yellow Cow is a picture by German artist Franz Marc (Source: https://en.wikipedia.org/wiki/Yellow_Cow#/media/File:Franz_Marc-The_Yellow_Cow-1911.jpg). In this artwork, Marc expressed the conflict between the inner and outer perception of the world. Additionally, yellow stands for inspiration and power. Leveraging this metaphor, let us explore how threat modeling, if implemented successfully, can help put your organization in a stronger position beyond the initial security goal.Threat modeling comes with cost and effort. It’s not uncommon for organizations to pursue more cost-efficient paths as long they allow them to “check the box.” In my article “Becoming the Martian: How to Scale Threat Modeling in Your Organization,” I have elaborated on why threat modeling has not yet been a C-level topic in most companies. The article should provide the arguments to justify a threat modeling program being the more sustainable solution for your organization.Many organizations started exploring

690
Michael Bernhardt
7 days ago
madchap
madchapNew Participant
 General Discussion

NPS for threat modeling

Hello everyone!I am searching for ideas or experiment feedback on how to gather a sort of TM “NPS score” as a measure on how well or not we’re doing with our engineering teams. Hint: Sending MS Forms surveys don’t really work.Looking past the “number of threat models performed”, “number of security work items opened” (and maybe never worked on), etc… how would you measure the actual value that is brought (or not) to various engineering teams as you educate/have them perform threat modeling?As I am endeavoring in some development work to create a custom Azure DevOps extension for NFRs to bring stuff in-band of engineering teams (and ensure something more cyclic too), I have some rough ideas, but would like to open the question to the experts :)Thanks! 

5
madchap
9 days ago
JSnurka
JSnurkaNew Participant
 General Discussion

NIST Maturity mover using Threat Modeling

My organization is working to move our NIST maturity and one of the ways my team can help is in the area of Threat Modeling. There are some specific questions around TM but it seems that NIST looks at Networking, Database and Application Threat Modeling separately.  To be honest, I didn’t know modeling was done in different pillars but holistically.Here are a few of the NIST questions.  I would love feedback on how I can use a tool like IriusRisk to move the needle on these.Which of the following describe how network threat modeling is performed by the organization? TM performed against network attack surfaces Against data flow What is the estimated % of all databases for which the organization performs threat modeling to identify and prioritize potential threats? Which of the following describe the organization's implementation of threat modeling #3 is focused on application TM incorporated in SDLCBTW - NIST defines SDLC as System Development Lifecycle

2
JSnurka
9 days ago
irene221b
irene221bParticipating Frequently
 General Discussion

Anyone tried to apply "Collaborative modeling" ideas in your threat modelling?

https://freecontent.manning.com/better-software-development-with-collaborative-modeling/ - I’ve come across this book and the ideas look very applicable to what we do with threat modelling.Anyone familiar with these ideas? Have you tried it? Any other thoughts?

1
JamesR
12 days ago
zeroxten
zeroxtenNew Participant
 General Discussion

Question on reddit: Threat Modeling sometimes not the best option for adressing security? Request for comments

Sharing this from a post by u/RoAmbk on r/threatmodeling, I thought it would be good to get this community’s input.Hi,I sometimes need to help projects in the web/cloud domain, some of them are green field projects. Threat modeling is a vital part of the SSDLC of these projects. On the other hand, there are guidelines like OWASP Top 10, OWASP ASVS, and many more that can help getting to a certain security level.I prefer to first follow guidelines and only after these have been assessed, perform threat modeling to detect risks and mitigate them.I had the experience that putting threat modeling before assessing a guideline is not as effective for these kind of projects.On the other hand, threat modeling is best when assessing a very custom solution like an embedded system with networked and legacy components.Do you have some thoughts and comments? I would be very interested in your opinion.Thank you What do you think? (source: https://www.reddit.com/r/threatmodeling/comments/10xaxsm/thre

2
irene221b
15 days ago
shankarbabu
shankarbabuNew Participant
 Guides

A Step-by-step Guide to Create Your First Threat Model (Template Included)Guide

Introduction: What is Threat Modeling Threat Modeling versus Threat Intelligence Threat Modeling alignment to NIST CSF A Simple, Six-Step Approach to Threat Modeling Step 1: Create an architecture diagram and label the artifacts Step 2: List down each architectural component Step 3: Identify and assign potential threats from STRIDE applicability matrix Step 4: Describe threat description Step 5: Propose risk mitigation plan Step 6: Identify appropriate security controls from NIST CSF Manual Threat Modeling Tool Using a Spreadsheet (Template) References Appendix 1: Primer to STRIDE framework Threat Classifications Threat Modeling Elements STRIDE applicability to TM elements Appendix 2: Sample Threat Models SaaS application (public cloud hosted) Introduction: What is Threat ModelingA structured and repeatable process to identify threats and mitigate them against valuable assets in a system. We cannot build secure systems until we understand the applicable threats to our applicat

9094
C
20 days ago
Shuning
ShuningCommunity Manager
 Welcome & Announcements

Spring 2023 Hackathon in Full Swing!News

🎉 We just kicked off the Spring 2023 Hackathon this morning!Insecure design is now listed as number 4 in the OWASP Top 10 Web Application Security Risks. In recognition of International Women’s Day, our inaugural hackathon is designed to promote data privacy early in the software development lifecycle. With 70+ community members joining us live from all over the world at the Global Kick-Off, we had a incredible morning together and enjoyed: a delicious🍦 keynote speech by @Kim highlighting why the privacy posture of any software is more critical than ever and how “privacy by design” can be achieved through threat modeling  a story from @purpleanchovy illustrating how a system’s intended functions can be misused and hurt people and how threat modeling could help address that a hands-on workshop led by @Chris Romeo that took us from performing threat modeling to a house, to an alarm system, and finally to a database great collaboration among the hackathon teams facilitated by ment

990
Shuning
21 days ago

Forum

Validate ideas, share resources, and get feedback from your peers and experts
Welcome & Announcements

Welcome & Announcements

  • 7 topics
  • 32 Replies
General Discussion

General Discussion

  • 31 topics
  • 155 Replies

Featured content

Helpful resources

Threat Modeling Manifesto

A guideline on the core values and principles of threat modeling

OWASP Threat Modeling Project

A documentation project focusing on threat modeling techniques

IriusRisk Community Edition

A free threat modeling automation tool created by IriusRisk

New to the community?

Meet and Greet

FAQs

Community Guidelines

Powered by inSided
Terms and Conditions and PrivacyCookie settings

iriusRisk on Twitter iriusRisk on LinkedIn

Community

  • Who We Are
  • Community Guidelines
  • Join Us

Forum

  • Best Practices
  • Inspiration & Connection
  • Ask the Community

Articles

  • Methodology
  • Building a Threat Modeling Program
  • Prioritization & Mitigation
  • Stakeholder Engagement
  • Success & Measurement

Events

  • Upcoming Events

Resources

  • Threat Modeling Manifesto
  • OWASP Threat Modeling Project
  • IriusRisk Community Edition

Powered By  

2022 Threat Modeling Connect. All Rights Reserved.

Join the community

Already have an account? Login

 

Log in with LinkedIn
or

Log in

Create your account

Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.

Create an account

 

Log in with LinkedIn
or
Forgot password?

Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.

Back to overview

Scanning file for viruses.

Sorry, we're still checking this file's contents to make sure it's safe to download. Please try again in a few minutes.

OK

This file cannot be downloaded

Sorry, our virus scanner detected that this file isn't safe to download.

OK