General Discussion

Use cases, new ideas, inspiring discussions, networking, and more 🤩

  • 36 Topics
  • 171 Replies

36 Topics

N
Community Manager
Naresh68Community Manager
posted in General Discussion

Call For Papers: Threat Modeling Conference 2023News

 We are excited to announce the inaugural Threat Modeling Conference (ThreatModCon), an event for application security professionals, researchers, developers, architects, testers, and practitioners to discuss and share their knowledge on threat modeling techniques, methodologies, tools, and best practices. We invite the submission of original and innovative research, case studies, and practical experiences. Conference Dates: Sunday, October 29th, 2023Location: Marriott Marquis, Washington DC The theme of the inaugural event is "Threat Modeling is for Everyone".  The conference welcomes contributions from a wide range of topics related to threat modeling, including but not limited to: 1. Threat modeling methodologies and frameworks2. Threat modeling techniques and tools (OSS)3. Uses of machine learning and AI for threat modeling4. Security design patterns5. Privacy and data protection considerations in threat modeling6. Risk analysis, prioritization, and management9. Training and awaren

2
N
Community Manager
3 days ago
Brook Schoenfield
Level 6
Brook SchoenfieldLevel 6
posted in General Discussion

Attacker Knowledge? Why?

“Understand what a criminal is looking for, why they're going to attack you. Is it because of status, cash, ideology? Understand who the attackers are, why they're attacking you, what they're looking for, information access, data cache. And then you'll understand the persistence of the attack. You'll understand what you need to do to design security to deter that type of attack.” - Brett Johnson, Shadow Crew, the first organized cybercrime community. “Scale To Zero” Episode 2.Several members of TM Connect and I have had this long-running conversation (really, disagreement): Must we understand attackers or not? Mr. Johnson, former and foundational attacker clearly validates my position that attacker knowledge is essential to understanding the following:Attack surfaces Lateral movements (steps of the attack towards attacker’s objectives) What will be compromised and how (not every successful attack ends in a data breach. consider bot nets) Rating impacts properlyTake for example a divers

2
Brook Schoenfield
Level 6
8 days ago
Brook Schoenfield
Level 6
Brook SchoenfieldLevel 6
posted in General Discussion

Threat Model Hangers

@izar wrote something that I think is critically important for those who are wondering how to “sell” threat modelling to decision makers and developers. It bears repeating, underline, echo, big ditto from me: “[T]hreat models are a great hanger to hang most if not all other activities of the SSDLC on. If you have a threat model you can rely on it to provide a framework for security testing that you wouldn’t have beforehand, and you might end up either looking in the wrong places or putting too much energy and time into probing things that do not guarantee your security. Likewise, if you know you have a high level of exposure to injection issues, you can orient your pentesters in that direction and get a better return on the investment that is a pen test. You need to onboard new people? Point them in the direction of the threat model and not only they’ll get a detailed view of the system they will be working on, they will also learn of those areas that are more brittle or need more care

2
Brook Schoenfield
Level 6
20 days ago
Brook Schoenfield
Level 6
Brook SchoenfieldLevel 6
posted in General Discussion

Authenticated Attackers

Salt Security API security report 2023 validates an aspect of #threatmodeling that I find myself needing to repeat: Authentication does not prevent attack!Of the 4842 API attacks analyzed for the report, only 22% were unauthenticated. A vast majority (78%) of attacks were authenticated!If what's behind an authentication is worth the expense/effort, attackers are happy to purchase/sign up. Consider:Freemium and advert-paid sites (Facebook, etc.) and sites that dole out email addresses (Live, Yahoo, Gmail) allow everyone (of course attackers) Large enterprises always have some compromised machines. Ergo, attacker rides along with authenticated user. Any enterprise user might also allow attack A billion cracked passwords readily available#threatmodeling must account for authenticated, likely authorized attackershttps://content.salt.security/state-api-report.html(In another post I’d be happy to explain what authentication does provide. It’s also in a couple of my books, if that helps?)

1
P
Level 4
1 month ago
hacxys
Level 3
hacxysLevel 3
posted in General Discussion

Threat Models collection

Is there a place( github repo, notion etc)where  can see a collection of threat models from various companies/individuals?If not ,can we create a dedicated space on this forum where people can share their threat models keeping the privacy of their organisations intact.?

6
zeroxten
Level 6
2 months ago
joshdub
Level 4
joshdubLevel 4
posted in General Discussion

Threat modeling: mandatory or nah?

I came across an article that I can’t seem to find again. It asked if threat modeling should be a mandatory practice. We might all want to agree that it should (as we are a threat modeling community). However, I don’t believe the answer is binary. I think there is a spectrum that the answer lies on, and every organization has its point on that spectrum that they will be at that will evolve at some rate.I’d love to discuss everyone’s thoughts on this subject. Maybe a specific practice worked at one place but didn’t work at another. Also, something I think is interesting. Does trending threat modeling toward being mandatory help define a mature threat modeling process?

13
Brook Schoenfield
Level 6
2 months ago
hacxys
Level 3
hacxysLevel 3
posted in General Discussion

Questions on threat modelling

1)How to Integrate threat modelling into jira work flows?2)How/where to store the threat models so that can be easily be reviewed for future reference?In my experience diagrams/pdfs become obsolete and no one views them in the future?3)How to ensure all threats are covered ? How to know that we have threat modelled enough?4)How is threat modelling  different from a secure design review ?

2
VíctorG
Level 4
2 months ago
izar
Level 6
izarLevel 6
published in General Discussion

I'm Izar Tarandach - and if you have questions, I may have answers!Q&A

Hi everyone, I’m Izar Tarandach, a Sr Staff Engineer at Datadog these days helping develop security products. Previously, I helped Squarespace, Autodesk, DellEMC RSA, IBM, and Bridgewater Associates design and implement product- and enterprise-wide security solutions, offering guidance in the design and implementation of secure systems and products.I’m also a co-author of "Threat Modeling: A Practical Guide for Development Teams", O'Reilly with Matthew Coles, and part of the "Threat Modeling Manifesto" band. I wrote the Continuous Threat Modeling Handbook and lead the OWASP pytm project, the first (I think!) threat-model-with-code framework out there.Currently I am looking into the bridge between Observability and Security. I’m excited to talk about that, secure development and engineering, threat modeling, careers in cybersecurity, Threat Modeling Manifesto, my favorite movies, dogs, what is that funny fish and anything in between.How it works: Add your questions below any time before

35120
Brook Schoenfield
Level 6
2 months ago
madchap
Level 4
madchapLevel 4
posted in General Discussion

NPS for threat modeling

Hello everyone!I am searching for ideas or experiment feedback on how to gather a sort of TM “NPS score” as a measure on how well or not we’re doing with our engineering teams. Hint: Sending MS Forms surveys don’t really work.Looking past the “number of threat models performed”, “number of security work items opened” (and maybe never worked on), etc… how would you measure the actual value that is brought (or not) to various engineering teams as you educate/have them perform threat modeling?As I am endeavoring in some development work to create a custom Azure DevOps extension for NFRs to bring stuff in-band of engineering teams (and ensure something more cyclic too), I have some rough ideas, but would like to open the question to the experts :)Thanks! 

5
madchap
Level 4
2 months ago
JSnurka
Level 4
JSnurkaLevel 4
posted in General Discussion

NIST Maturity mover using Threat Modeling

My organization is working to move our NIST maturity and one of the ways my team can help is in the area of Threat Modeling. There are some specific questions around TM but it seems that NIST looks at Networking, Database and Application Threat Modeling separately.  To be honest, I didn’t know modeling was done in different pillars but holistically.Here are a few of the NIST questions.  I would love feedback on how I can use a tool like IriusRisk to move the needle on these.Which of the following describe how network threat modeling is performed by the organization? TM performed against network attack surfaces Against data flow What is the estimated % of all databases for which the organization performs threat modeling to identify and prioritize potential threats? Which of the following describe the organization's implementation of threat modeling #3 is focused on application TM incorporated in SDLCBTW - NIST defines SDLC as System Development Lifecycle

2
JSnurka
Level 4
2 months ago
irene221b
Level 6
irene221bLevel 6
posted in General Discussion

Anyone tried to apply "Collaborative modeling" ideas in your threat modelling?

https://freecontent.manning.com/better-software-development-with-collaborative-modeling/ - I’ve come across this book and the ideas look very applicable to what we do with threat modelling.Anyone familiar with these ideas? Have you tried it? Any other thoughts?

1
JamesR
Level 6
2 months ago
zeroxten
Level 6
zeroxtenLevel 6
posted in General Discussion

Question on reddit: Threat Modeling sometimes not the best option for adressing security? Request for comments

Sharing this from a post by u/RoAmbk on r/threatmodeling, I thought it would be good to get this community’s input.Hi,I sometimes need to help projects in the web/cloud domain, some of them are green field projects. Threat modeling is a vital part of the SSDLC of these projects. On the other hand, there are guidelines like OWASP Top 10, OWASP ASVS, and many more that can help getting to a certain security level.I prefer to first follow guidelines and only after these have been assessed, perform threat modeling to detect risks and mitigate them.I had the experience that putting threat modeling before assessing a guideline is not as effective for these kind of projects.On the other hand, threat modeling is best when assessing a very custom solution like an embedded system with networked and legacy components.Do you have some thoughts and comments? I would be very interested in your opinion.Thank you What do you think? (source: https://www.reddit.com/r/threatmodeling/comments/10xaxsm/thre

2
irene221b
Level 6
3 months ago
Adam Shostack
Level 6
Adam ShostackLevel 6
posted in General Discussion

What makes trust boundaries a challenging concept?

I routinely hear people struggle. Perhaps it's been too long since I first encountered it. Have you heard a good explanation of why it's hard? Do you have one of your own? What helped you overcome it? How do you teach it, or elicit boundaries when you’re leading threat modeling work?

8
L
Level 2
3 months ago
dbeu
Level 3
dbeuLevel 3
posted in General Discussion

Versioning use cases

Hi everyone,Are you utilizing the Versioning feature of IriusRisk? If yes, what are some of the main use cases that you are using it for?First thing that comes to my mind is when doing some major changes in the architecture of a product and you want to keep track of the changes. Thanks

3
dbeu
Level 3
3 months ago
preethisampath
Level 4
preethisampathLevel 4
posted in General Discussion

End User Survey

If an organization was to conduct a survey about its Threat Modeling program what are the top 5 things that the survey must aim to ask? Say, the stakeholders for this survey would be the application architects & managers.

6
R
Level 3
3 months ago
D
Level 3
DaveLevel 3
posted in General Discussion

threat model tool - threatware

This community seems like an appropriate place to share approaches to threat modelling, so I thought I’d share an open source tool called threatware that I created to help validate and manage threat models.  I wrote a longer blog post discussing the origin of it, but this community might find some of the design decisions I made when I created the (suggested) process and tool - see An Opinionated Approach - as relevant discussion topics for challenges we all face when operating a threat modelling program of work.Hope you find it interesting, maybe even useful.  Happy to discuss.

2
VíctorG
Level 4
4 months ago
Chris Romeo
Level 6
Chris RomeoLevel 6
published in General Discussion

Ask Me Anything about Threat Modeling on January 27th!Q&A

Hi, Threat Modeling Connect community!I’m Chris Romeo, CEO of Kerr Ventures and self-described “threat modeler to the stars.” I previously co-founded Security Journey and have participated in numerous initiatives, conferences, and community projects to drive application security and threat modeling in organizations of all sizes. I also host the award-winning “Application Security Podcast” with @RobertHurlbut (we’re both founding members of Threat Modeling Connect 😎).I’ve taught threat modeling and rolled it out across the Enterprise at Cisco. I’m excited to share my thoughts, approaches, and experiences with you through this AMA.Ask me anything about threat modeling!Here's how it works:Reply to this post with your question(s) any time before or during the AMA. Look at other community members’ questions and like those that you find interesting.On Friday, January  27th, 11:00-noon ET, I’ll be answering your questions live! Cheers,Chris

33417
Chris Romeo
Level 6
4 months ago
Shuning
Level 10
ShuningLevel 10
posted in General Discussion

[POLL] What topics do you like to see more in 2023?

Hello community!As we’re planning for the content for Threat Modeling Connect for 2023, we’d like to know what interests you the most and the top challenges where you’d like more resources and support around.⬇️ Share your input by taking this poll:(Feel free to add a comment and share more context/details, e.g. peer support groups for XYZ topics , workshops for XYZ topics)

8
nznigel
Level 4
4 months ago
fixbits
Level 9
fixbitsLevel 9
posted in General Discussion

Has anyone experienced with integrating TM in automated pipelines?

It seems to me that with the growing number of tools supporting threat modeling or working with TMs in an automated fashion (IR,shiftleft,OTM) a lot of possibilities open up for integrating these in CI/CD or other workflows.Are you aware of any implemented use cases in this direction? Are there any working examples for generating a TM (even for a small well understood domain) based on code or config changes for instance?

5
Brook Schoenfield
Level 6
4 months ago
stephendv
Level 4
stephendvLevel 4
posted in General Discussion

Threat Models in SBOMs

SBOMs are a critical part to helping secure the software supply chain.  Having a catalogue of libraries and components in an SBOM is obviously the key element of this, so that it can be queried by security tools to identify known vulnerabilities.  So far so good. I can’t help thinking that including a threat model in the SBOM would help to provide some additional context about the security decisions made by the vendor.  What I mean is that as a software vendor, I choose my third party components and include them in my software.  When I do that, I may make some security decisions such as including a library with a known vulnerability because I know that we don’t use that library in a way that exposes the vulnerability.  A threat model would be a way for me to communicate this to readers of my SBOM.What do the SBOMmers think of this?  Has any work been done in the area of marrying threat modeling and SBOMs?  

4
Brook Schoenfield
Level 6
5 months ago
Adam Shostack
Level 6
Adam ShostackLevel 6
posted in General Discussion

Fast, Cheap, Good (Redux)

Some of you may have seen my whitepaper (Fast, Cheap, Good: an unusual combination).  I’m releasing an academic preprint that delves into why I think these methods are important and what we can learn from them. Links to both: https://shostack.org/blog/fast-cheap-good-redux/

0
Adam Shostack
Level 6
5 months ago
Adam Shostack
Level 6
Adam ShostackLevel 6
posted in General Discussion

Article share: Threat Modeling in the Age of OpenAI's Chatbot

I have a new article in Dark Reading which may be interesting to this community, titled “Threat Modeling in the Age of OpenAI's Chatbot.”Comments, feedback, disagreement all welcome.

2
Adam Shostack
Level 6
5 months ago
P
Level 3
Paresh.keraiLevel 3
asked in General Discussion

OSCAL: the Open Security Controls Assessment Language for IriusRisk

Hi Guys, Has anyone come across of using OSCAL security controls on IriusRisk or have experience? I would love to get some insights on that.Thanks

4
areyes
Level 1
5 months ago
preethisampath
Level 4
preethisampathLevel 4
posted in General Discussion

How do you define the success criteria for threat modeling?

How do you determine the “success” of a threat model program? Is there any Key Performance Indicators you’re using?It is not just the # of threat models created or # of threats reported, but the impact it makes. I’m curious how the community measures the impact of a threat model?

6
J
Level 4
5 months ago
Brandon Green
Level 6
Brandon GreenLevel 6
posted in General Discussion

What's your favorite Threat Modeling methodology?

Since there are many different threat modeling methodologies (STRIDE, PASTA, DREAD, etc), I’d like to ask the community members:Which methodology is your favorite, and why? I’ve only used STRIDE and I’m eager to hear everyone’s thoughts on the others.

10
Hoss
Level 4
6 months ago

🔔 Stay connected

Click the subscribe button above to be notified of new posts in the forum.

Start a conversation

Validate your ideas, share resources, get feedback from your peers and experts.

Make a post
Terms and Conditions, Community Guidelines and Privacy.Cookie settings