Question

Best resources for becoming an expert Threat Modeller?

  • 25 September 2023
  • 7 replies
  • 164 views

Userlevel 1

So I know the usual suspects, of course: @Adam Shostack's books, various YouTube channels (including from IriusRisk), the Threat Modelling Manifesto, and this forum..

But let's say I want to become an "expert" in Threat Modelling… what can you recommend? Something on LinkedIn Learning, perhaps? Or by O'Reilly? 

Or is it simply a matter of getting up-to-speed on the primary literature and hands-on learning?


7 replies

Userlevel 4
Badge

What’s that joke about how do you get to the Carnegie Hall?

After you go over all the sources - threat model, threat model, threat model some more. 

Userlevel 4
Badge +1

Crowd-sourcing is always a good mean to leverage common wisdom, therefore recommending this as a central resource: hysnsec/awesome-threat-modelling: A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review. (github.com)

Other than that -practice, practice, practice, ...

Userlevel 2

Practice, practice, practice! Yes getting hands-on as well as reading the primary literature are the go to activities when it comes to becoming a seasoned Threat modelling professional. Also to add to the mix,  collaborate amongst your peers either at work or at topical events as this will invariably provide you with valuable insight into the complexities of this and surrounding areas of Threat modelling.

Userlevel 1

Crowd-sourcing is always a good mean to leverage common wisdom, therefore recommending this as a central resource: hysnsec/awesome-threat-modelling: A curated list of threat modeling resources (Books, courses - free and paid, videos, tools, tutorials and workshops to practice on ) for learning Threat modeling and initial phases of security review. (github.com)

Other than that -practice, practice, practice, ...

Good stuff! I wasn't familiar with the repository of info--very useful!

But yeah, practice, practice, practice.

Userlevel 1

What’s that joke about how do you get to the Carnegie Hall?

After you go over all the sources - threat model, threat model, threat model some more. 

Agreed, nothing beats experience!

Badge

I have the same opinion. Practice, Practice and keep Practicing. I suggest you look to others in your community (local security chapters like OWASP, etc) and ask what they are doing and how they go about it. The key is to network, learn from others and just keep threat modeling. 

Historical:

https://seclab.cs.ucdavis.edu/projects/history/papers/ande72a.pdf

https://apps.dtic.mil/sti/pdfs/ADA392777.pdf

https://csrc.nist.gov/files/pubs/conference/1991/10/01/proceedings-14th-national-computer-security-confer/final/docs/1991-14th-ncsc-proceedings-vol-2.pdf (pages 572-581)

 

Related Practices:

Other not specific TM resources:

Reply


V2