Forum

Validate ideas, share resources, and get feedback from your peers and experts

66 Topics

wgildersleeve
Level 4
wgildersleeveLevel 4
asked in General Discussion

Best resources for becoming an expert Threat Modeller?

So I know the usual suspects, of course: @Adam Shostack's books, various YouTube channels (including from IriusRisk), the Threat Modelling Manifesto, and this forum..But let's say I want to become an "expert" in Threat Modelling… what can you recommend? Something on LinkedIn Learning, perhaps? Or by O'Reilly? Or is it simply a matter of getting up-to-speed on the primary literature and hands-on learning?

0
wgildersleeve
Level 4
7 minutes ago
D
Level 3
DaveLevel 3
posted in General Discussion

What the Auth?

In the threat modelling methodology I use, I ask teams to capture the authentication and authorization methods that the different parts of their system implement (for those bits in-scope).  This ask, as it turns out, has been something that teams have really struggled with.  It seems to be a combination of not always having the difference between authn and authz very clear in their mind, and the fact that sometimes the difference is indeed not very clear at all anyway! (IP allow-lists is a good example - authn or authz? or it depends?).In an effort to at least bring some consistency in how the teams I work with capture authn and authz, I created some Examples and some Guidance to help them, which I thought I would share, in case it helps others as well.If you know of any authn/z guidance, examples or docs that might help others, please do share.

2
D
Level 3
2 days ago
Chris Romeo
Level 6
Chris RomeoLevel 6
published in General Discussion

Join the Threat Modeling Revolution: The Inaugural Threat Modeling Conference is Here!News

I remember the first conference where I ever spoke about threat modeling like it was yesterday. The conference was the Microsoft Secure Development Lifecycle conference in Washington, DC, and the year was around 2010. I did a panel with a few other folks on threat modeling under the more significant SDL conference context. I always wished for a conference focused on threat modeling, and now that wish has come true!  I am acting as the first conference chair for Threat Modeling Conference. A few of us in the world of threat modeling got together as founding members of Threat Modeling Connect. During an initial conversation, I mentioned that a big-ticket goal of Connect should be to host a threat modeling conference. And my reward for that suggestion was an invitation to chair the event. Always be careful when making suggestions. Of course, I'm kidding and honored to chair this event.  I'm working with my various threat modeling besties, like Izar Tarandach @izar , Matt Coles, Brook Scho

1923
Shuning
Community Manager
5 days ago
JamesR
Level 8
JamesRLevel 8
posted in General Discussion

Getting Developers engaged in threat modeling?

What approach does everyone use to get developers engaged in the threat modeling process? Have you found that developers are generally open to getting involved and see the value in shifting left or do they look at it like its just going to add additional work for their teams? 

3
chrdal75
Level 3
5 days ago
joshdub
Level 5
joshdubLevel 5
posted in General Discussion

Threat Modeling Unnecessary?

It’s easy for everyone in security to agree on doing extra work to create secure systems. In my experience, it seems that once we begin to socialize or implement the process/idea/system/etc. there is pushback from others. Threat modeling is no exception.Implementing change, even if it is for the good, is difficult. Has anyone engaged with pushback to threat modeling? Either as a security practice or specific details in the methodology?If so, I’d love to hear your thoughts on how the pushback was approached. Or, like my kids would say, how did you clapback??

6
Ajay
Level 4
6 days ago
Shuning
Community Manager
ShuningCommunity Manager
posted in Welcome & Announcements

Meet & Greet Your Peers 🤗

Hello, hola, hallo, guten tag, bonjour, shalom…community!One of the most exciting parts of your journey in Threat Modeling Connect is the opportunity to meet and work closely with the best and brightest (and kindest!) threat modeling professionals around the world. Let’s greet each other and share:Where you work, live, and your current role Your threat modeling experience, challenges, expertise - whether you’re just beginning or further down the journey, we’d love to hear more of your story Where we can find you if you’re not threat modelingWe’ll get to know each other more along the way. This is just the beginning of something great :)

33
lutfumertceylan
Level 3
7 days ago
izar
Level 8
izarLevel 8
posted in General Discussion

Exceptional Threat Modeling

(as seen in The Security Table’s first LinkedIn live podcast episode!)As much as system builders at large have been more willing to accept Threat Modeling as a useful practice with clear positive results and advantages, it is still somewhat difficult to institute it as a part of the secure software development lifecycle in most organizations.The reasons are many, but chiefly among them is the clear fact that eliciting threats out of a design requires a certain amount of expertise, experience and savviness that is hard to quantify and harder to teach, in security practitioners. We can train people to be aware of security weaknesses that may be introduced at the design stage, but it is harder to train them to identify the multiple ways these weaknesses can sneak in when a system is being designed, or implemented in an agile way, when the design couples tightly with the implementation.This author (and many others!) has tried to make that path shorter, with Continuous Threat Modeling (http

1
D
Level 3
10 days ago
chrdal75
Level 3
chrdal75Level 3
posted in General Discussion

I want to Threat Model, but I don't know where to start.

One question I am often asked by the many organizations I work with is where do I begin ? How do I get started Threat Modeling? What do I Threat Model, and what do I need to be concerned with? As with everything you do, you must be willing to take the first step. Taking on a new challenge is often very intimidating and the fear of failure is real. My advice is to start with the smallest, most simple application or workflow you have. Keep your model small and specific to a singular process. If you identify 1 new threat today, then you have accomplished something significant. I also encourage people to not take this task on by themselves. Threat Modeling is a collaborative process. No one know everything, so leverage the knowledge of your teams.  And because you have kept your model compartmentalised, your collaborators will not feel overwhelmed. Finally, I highly encourage people to move the process of Threat Modeling left. By this I mean, start the process very early in the software de

4
B
Level 2
23 days ago
Brook Schoenfield
Level 6
Brook SchoenfieldLevel 6
published in General Discussion

The 7 themes covered in ThreatModCon 2023News

We, the ThreatModCon 2023 Programme Committee were stunned by the response to our Call For Papers. It’s a new conference, the first conference dedicated to threat models and threat modelling. So the committee members would have been happy to receive a few more papers than available speaking slots.But that’s not what’s happened! Given an embarrassment of riches, we decided to add a second (2nd) presentation and workshop track. Then the hard task of choosing began.I wonder if those who’ve not been on a conference committee are familiar with the process:Understand every submission Adopt a process for identifying each evaluator’s favourites Urge (nag?) evaluators to make choices Categorize submissions by theme for an interesting mix Wrangle evaluators into 1, usually more meetings to work through disagreements and issues Draft acceptance and rejection letters. Obtain approval from committee Notify submitters Schedule the talks in some manner as to keep the energy flowing and themes coheren

1254
Shuning
Community Manager
30 days ago
A
Anonymous
posted in General Discussion

Call For Papers: Threat Modeling Conference 2023News

We are excited to announce the inaugural Threat Modeling Conference (ThreatModCon), an event for application security professionals, researchers, developers, architects, testers, and practitioners to discuss and share their knowledge on threat modeling techniques, methodologies, tools, and best practices. We invite the submission of original and innovative research, case studies, and practical experiences. Conference Dates: Sunday, October 29th, 2023Location: Marriott Marquis, Washington DC The theme of the inaugural event is "Threat Modeling is for Everyone".  The conference welcomes contributions from a wide range of topics related to threat modeling, including but not limited to: 1. Threat modeling methodologies and frameworks2. Threat modeling techniques and tools (OSS)3. Uses of machine learning and AI for threat modeling4. Security design patterns5. Privacy and data protection considerations in threat modeling6. Risk analysis, prioritization, and management9. Training and awarene

6
Shuning
Community Manager
1 month ago
Brook Schoenfield
Level 6
Brook SchoenfieldLevel 6
posted in General Discussion

Keep Up With Attacks!

In order to model well, we have to understand how attacks get started and how they proceed. Otherwise, how do we figure out “What can go wrong?”For many new to the sport of threat models, compiling a reasonably comprehensive set of potential attacks can be daunting, at best, overwhelming for many.Personally, I spend a fair amount of time just keeping up, even though I’ve been modelling for more than two decades. Well, the following article I picked up out of my TL;DR cyber newsletter might help: Let’s Talk About SaaS Attack Techniques (11 minute read)An article from Push providing an overview of modern SaaS attacks. The attacks are broken down into a MITRE ATT&CK style matrix. The article concludes with a discussion on the observability of these attacks.

1
joshdub
Level 5
1 month ago
Brook Schoenfield
Level 6
Brook SchoenfieldLevel 6
posted in General Discussion

Why Threat Modelling Birds Of a Feather?Blog

ThreatModCon 2023 has chosen to foster greater threat modelling practitioner dialogue through a birds of a feather lunch at the conference.In 2011, at SANS What Works In Security Architecture Summit, it struck me that practitioners rarely get an opportunity to discuss recurring issues, to discuss the practice. We do an awful lot of “knowledgeable presenter” dispensing learnings. But we don’t make space for people who practice every day to discuss how they do things, to refine our discipline through unstructured interchange. As practitioners of an engineering discipline, what we do I believe will most certainly benefit from lively discussion, from strongly held opinions, hopefully held loosely enough that we listen to each other, searching for commonality and improvement. Networking events don’t lend themselves to focused discussion. These are more, “meet and greet”, which is fine so far as it goes, but does not advance the practice.After much reflection by ThreatModCon’s organizing com

1
stevespringett
Level 3
1 month ago
Brook Schoenfield
Level 6
Brook SchoenfieldLevel 6
posted in General Discussion

Attacker Knowledge? Why?

“Understand what a criminal is looking for, why they're going to attack you. Is it because of status, cash, ideology? Understand who the attackers are, why they're attacking you, what they're looking for, information access, data cache. And then you'll understand the persistence of the attack. You'll understand what you need to do to design security to deter that type of attack.” - Brett Johnson, Shadow Crew, the first organized cybercrime community. “Scale To Zero” Episode 2.Several members of TM Connect and I have had this long-running conversation (really, disagreement): Must we understand attackers or not? Mr. Johnson, former and foundational attacker clearly validates my position that attacker knowledge is essential to understanding the following:Attack surfaces Lateral movements (steps of the attack towards attacker’s objectives) What will be compromised and how (not every successful attack ends in a data breach. consider bot nets) Rating impacts properlyTake for example a divers

4
adedayo
Level 2
1 month ago
madchap
Level 5
madchapLevel 5
posted in General Discussion

Using LLMs to help lead threat modeling sessions

Hey all, I have not seen any posts nor much out there… but I am sure some people are thinking about this right? With the right DFD metadata and possibly a gherkin-like way to describe scenarios, it feels like something could be done.What are the collective thoughts around using AI to help lead threat modeling sessions to scale appsec teams efforts? Is there something out there that’s already midly useful?If I knew what I was doing, that’s probably something I’d start thinking on building :-)Cheers, 

2
amitpaz
Level 1
2 months ago
Ajay
Level 4
AjayLevel 4
published in General Discussion

Regulatory Requirements on Threat Modelling reaches the APAC regionNews

Singapore’s 2018 Cybersecurity Act indirectly makes it a criminal offence not to perform cybersecurity risk assessments which include threat modelling on computers and systems that have been designated by the Cybersecurity Agency (CSA) as Critical Information Infrastructure (CII).The Act (Act 9 of 2018), otherwise known as the Cybersecurity Bill, first came into force in August 2018 to establish a legal framework for Singapore’s national cybersecurity. The key objective is to strengthen the protection of CII and provide the CSA the powers needed to act effectively to prevent, manage and respond to cybersecurity threats and incidents.In accordance with the 2018 Cybersecurity Act, the CSA issued the Cybersecurity Code of Practice (CCoP) detailing the minimum regulatory requirements Critical Information Infrastructure Owners (CIIOs) must comply with; however, the expectation is that they implement measures beyond those stipulated. The current version (CCoP v2) came into effect on 4th July

300
Ajay
Level 4
2 months ago
cramirez
Level 3
cramirezLevel 3
posted in General Discussion

Birds of a Feather sessions at ThreatModCon 2023

Greetings ThreatModelingConnect Community, ThreatModCon 2023 is fast approaching (https://www.threatmodelingconnect.com/events/threatmodcon-2023-38)!  As part of the conference, we're planning to host several Birds of a Feather (BoF) sessions during lunch.  For those unfamiliar, BoF sessions are informal gatherings of like-minded individuals to discuss topics or common issues encountered without a pre-planned agenda.  We wanted to reach out to the community for feedback on what topics/issues you would be interested in discussing at ThreatModCon 2023.

1
jt.infosec
Level 3
2 months ago
Brook Schoenfield
Level 6
Brook SchoenfieldLevel 6
posted in General Discussion

Threat Model Hangers

@izar wrote something that I think is critically important for those who are wondering how to “sell” threat modelling to decision makers and developers. It bears repeating, underline, echo, big ditto from me: “[T]hreat models are a great hanger to hang most if not all other activities of the SSDLC on. If you have a threat model you can rely on it to provide a framework for security testing that you wouldn’t have beforehand, and you might end up either looking in the wrong places or putting too much energy and time into probing things that do not guarantee your security. Likewise, if you know you have a high level of exposure to injection issues, you can orient your pentesters in that direction and get a better return on the investment that is a pen test. You need to onboard new people? Point them in the direction of the threat model and not only they’ll get a detailed view of the system they will be working on, they will also learn of those areas that are more brittle or need more care

2
Brook Schoenfield
Level 6
4 months ago
Brook Schoenfield
Level 6
Brook SchoenfieldLevel 6
posted in General Discussion

Authenticated Attackers

Salt Security API security report 2023 validates an aspect of #threatmodeling that I find myself needing to repeat: Authentication does not prevent attack!Of the 4842 API attacks analyzed for the report, only 22% were unauthenticated. A vast majority (78%) of attacks were authenticated!If what's behind an authentication is worth the expense/effort, attackers are happy to purchase/sign up. Consider:Freemium and advert-paid sites (Facebook, etc.) and sites that dole out email addresses (Live, Yahoo, Gmail) allow everyone (of course attackers) Large enterprises always have some compromised machines. Ergo, attacker rides along with authenticated user. Any enterprise user might also allow attack A billion cracked passwords readily available#threatmodeling must account for authenticated, likely authorized attackershttps://content.salt.security/state-api-report.html(In another post I’d be happy to explain what authentication does provide. It’s also in a couple of my books, if that helps?)

1
P
Level 4
5 months ago
Shuning
Community Manager
ShuningCommunity Manager
published in Welcome & Announcements

🏆 Meet the Winners of Our Spring 2023 Hackathon!News

The inaugural Threat Modeling Connect hackathon was a success! More than a competition, it was a community initiative where we celebrated and practiced “doing threat modeling over talking about it,” one of the key values underscored by the Threat Modeling Manifesto. We want to take a moment to thank everyone who participated, from those who joined us at the kick-off, to those who attended the workshops, to those who completed the entire challenge, to our workshop leaders @Chris Romeo, @Kim, to our mentors @AviD, @Jeroen V, @fixbits, @jt.infosec, @Mark Merkow,@Zoe Braiterman, and to our expert judges @Adam Shostack, @Brook Schoenfield, @izar, @purpleanchovy, @Sebastien Deleersnyder. It’s because of all of you that our inaugural hackathon was made possible.And now, without further ado, here is the Threat Modeling Connect Spring 2023 Hackathon Winning Team!🎉 Congratulations to Team 4! 🎉Captain: Mariia Tiurina (@Therapy) Teammate: Atul Chaturvedi (@Atulc)  Teammate: Emette Ahava Cohen Do

3195
P
Level 4
5 months ago
Shuning
Community Manager
ShuningCommunity Manager
published in Welcome & Announcements

New feature: points, leaderboard, and ranks!News

Hello community!We’re excited to announce the release of points, leaderboard, and ranks ! 🎉Points - You’ll start earning points for different activities performed in the forum (such as creating a post, replying to posts, receiving “likes” from others, and more.) Leaderboard - Top five members with the most points earned each week will entered the leaderboard on the community homepage. There’s an all-time leaderboard, too!Ranks - Unlock new levels as you participate in the forum. Posts, replies, likes received, likes given…etc all contribute to moving up your ranks. Your ranks will be displayed at the bottom corner of the your avatar.  🏆 😎 It’s time to showcase your threat modeling expertise, support your peers, engage in conversations in the discussion forum while having a little more fun! Pro tip: Subscribe to the general discussion forum to be notified of new posts, so you won’t miss a beat on what’s going on in the forum.​​​​​​“Subscribe” to receive notifications for new posts.

550
Shuning
Community Manager
5 months ago
Shuning
Community Manager
ShuningCommunity Manager
published in Welcome & Announcements

Just released: the Hackathon badges!News

As we wrapped up the Spring 2023 Hackathon, we wanted to celebrate the achievements of all the successful hackers in our community: the great teamwork you demonstrated, the excellent leadership, organization, and communication skills you displayed, and, of course, the quality threat models you created.🥳 As @Chris Romeo, the Security Threat Model workshop leader, mentioned:Everyone wins in the case of a hack-a-thon, because everyone learns and gets better at threat modeling.🤩 Also noted by @izar, one of the judges:It was extremely rewarding and instructive to compare the different entries and approaches.We’re excited to released two exclusive Hackathon badges:The Champion badge - to the winning team The Hacker badge - to the teams with successful submissions          Eligible members should have received the badges in your member profiles!Congratulations again, hackers! #keepthreatmodeling!Behind the badges…shoutout to @aeftimie - the brand manager of Threat Modeling Connect - who des

530
Shuning
Community Manager
5 months ago
Shuning
Community Manager
ShuningCommunity Manager
published in Welcome & Announcements

🥳 Come celebrate with us! (win a signed copy of Adam Shostack's latest book) 🥳News

*🎁 Giveaway!*We recently reached 500 members in our community! It’s an exciting milestone for a young community like ours being around for just four months. And we wanted to celebrate with you - our community members!We will do a “spin the wheel” at this month’s community meetup and give away two signed copy of @Adam Shostack’s latest book “Threats: What Every Engineer Should Learn From Star Wars” to lucky community members. 🎁 How to enter to win 🎁​Attend the April Community Meetup and be present when your name is called.Register now »  

1120
Shuning
Community Manager
5 months ago
hacxys
Level 3
hacxysLevel 3
posted in General Discussion

Threat Models collection

Is there a place( github repo, notion etc)where  can see a collection of threat models from various companies/individuals?If not ,can we create a dedicated space on this forum where people can share their threat models keeping the privacy of their organisations intact.?

6
zeroxten
Level 6
5 months ago
Shuning
Community Manager
ShuningCommunity Manager
published in Hackathon

That’s a wrap! 🎉

Hello Hackers!It’s been an incredible month…we hope you had as much fun hacking and threat modeling as we did organizing it!As an inaugural hackathon, we’re thrilled to gather participants across 21 time zones and are impressed by the intensity and calibre of the submissions received. Congratulations to the Champions and to every team that successfully completed this challenge  👏👏! We just released the exclusive Spring 2023 Hackathon Hacker Badges to all active members of the teams with a complete submission as a recognition of your achievement in completing this hackathon. Check out your member profile in the next few hours.Wherever you are in your threat modeling journey, be it year 1 or year 21, we hope this hackathon has challenged and inspired you to refine/improve/upgrade the way you do threat modeling. What’s next? Below are a few things we suggest…but above everything else, #keepthreatmodeling! Share your feedback - If you haven’t already, please take a moment (about 2 mins!)

560
Shuning
Community Manager
5 months ago
joshdub
Level 5
joshdubLevel 5
posted in General Discussion

Threat modeling: mandatory or nah?

I came across an article that I can’t seem to find again. It asked if threat modeling should be a mandatory practice. We might all want to agree that it should (as we are a threat modeling community). However, I don’t believe the answer is binary. I think there is a spectrum that the answer lies on, and every organization has its point on that spectrum that they will be at that will evolve at some rate.I’d love to discuss everyone’s thoughts on this subject. Maybe a specific practice worked at one place but didn’t work at another. Also, something I think is interesting. Does trending threat modeling toward being mandatory help define a mature threat modeling process?

13
Brook Schoenfield
Level 6
6 months ago

🔔 Stay connected

Click the subscribe button above to be notified of new posts in the forum.


Start a conversation

Validate your ideas, share resources, get feedback from your peers and experts.

Make a post
Terms and Conditions, Community Guidelines and Privacy.Cookie settings
V2