As the Spring 2023 Hackathon drew to a close, we’re excited to invite outstanding hackers to share their stories.
Joshua Holmes (
Tell us about yourself and your threat modeling career
What’s your role, and where are you based?
I’m a DevSecOps Security Expert based in Munich, Germany.
When and how did you begin your threat modeling journey?
First threat model ever done was 3 years ago utilizing a small Excel sheet we had quickly put together, it came as a request from the risk team to look further into the architecture of an application that risk had recently been raised against. However, it wasn’t until a year ago that Threat Modeling became more of a day-to-day exercise as the need for threat model became greater and greater, and the results of said threat models were appreciated.
Share your hackathon experience with us
What drew you to participate in the Spring 2023 hackathon?
I was curious to see how other people/ teams would Threat Model the same case study. Seeing how others approach the same case study and develop different strategies or attack scenarios was of great interest to me. Learning how others do something can help you assess the way you are currently doing it and broaden your view of other methods that you may not have been aware of.
What does your team look like, and how did you work together?
We had all worked together in the past on different projects, some team members I had not spoken to in quite some time as they had moved to different companies; however, I reached out to them on LinkedIn and knew they would most likely be interested. From there we started having team meetings to bring everyone up to speed, and it just took off. There was good energy in the team, and each individual had a different task that they wanted to tackle. Some members wanted to draw out the architecture others wanted to build attack trees. Each member brought their skill set into the team and contributed in their area of strength.
(My teammates: Michael H
What was the biggest challenge your team faced? How did you overcome it?
The time requirement snuck up on us. Between work and regular day-to-day tasks, we did not sync too much the first week, and then when realizing that the case study was a bit more complex than originally anticipated we ramped up the meetings the last week. It would have been beneficial to have been able to spend some more time on the attack trees. We spent a lot of time on the diagram and discussing “what can go wrong” or if this area of the diagram made sense. In the end, we rushed the attack trees and retro.
Going from here
What are your top 3 takeaways about threat modeling from this hackathon?
- Don’t get too hung up on all the different things that can go wrong, take the top 2-3 and focus on those, build good attack trees and understand the issue and how to remediate it.
- Planning is key, set a pace stick to it, and don’t underestimate how complex a system can get.
- Find a platform that works for collaboration. We tried different platforms we tried Miro, teams, and google drive. In the end, just having good meetings to sync on topics and share screens to go through areas was the best approach. We emailed content back and forth and had lots of small discussions via chat.
What do you plan to threat model next?
At our company, there are many applications that will need Threat Modeling so the pool of threat models is plentiful.
Connect with Josh
Follow him on the Threat Modeling Connect community for his latest posts, DM him, and connect with him on LinkedIn.
About Community Spotlight
In this blog series, we’re featuring star members of our community - up and coming threat modeling practitioners, top contributors of Threat Modeling Connect, best-in-class threat modeling experts - and their threat modeling stories. Email firstname.lastname@example.org with your story for an opportunity to be featured!