Use cases, new ideas, inspiring discussions, networking, and more 🤩
- 57 Topics
- 234 Replies
Hi folks! I hear the term security champions being thrown around quite often and how important it is for some to start building the program. I’ve seen different companies approach the topic very differently with some succeeding and some outright failures. Some have started with initiatives to train their entire development organization to understand security a little better before heading down this path. Some have asked for volunteers and incentivize them to help be part of the team and help build the process. Others may go ahead and just select individuals themselves and “volunteer” them to be the bridge for the teams. My question for you all is, what has your experience been like? Is there a method that works better than others? What are some great ways to start this discussion with various teams and how do we get them more engaged? Where should a company start when thinking of building a Security Champions program? Are the any specifics that need to be considered before starting th
It’s clear that there’s value in doing Threat Modeling a new application at design time, but what about existing applications? If the application is already deployed and ready, would you apply threat modeling for a specific security task? Thank you in advance.
A question that comes up frequently in discussions: the manifesto says everyone should do threat modelling, but if we are not security specialists, what would be the value? Wouldn’t we just waste time bouncing our amateur ideas off each other?I say - bring on the bouncing! Yes, it is better to have someone with security specialisation in the room, but a team that understands “What are we working on?” is practically guaranteed to find something useful when exploring “What can go wrong?”Why is that the case? Because collaborative threat modelling excels at finding “Unknown knowns”. Whether you use STRIDE, prompt cards, EOP game, any brainstorming method really - the team members will confess all sorts of horrors that they haven’t realised are relevant before now. Debug functionality with remote access that nobody had removed since release v0.01. Shared accounts, authorisation bypasses, that "TODO" function they wrote ten years ago and somehow it was never prioritised.
Now is the moment to (finally) build a global community to knit together practitioners. Why? Because there are too many misunderstandings about threat models and methods and too little industry consensus. We haven’t yet defined a discipline. How do we teach? How do we support each other and those who are newer? What are the biggest challenges newbies face? Despite decades of discussion amongst a few experts, and numerous standards recommending or requiring threat modeling (though in the past under other names), threat modeling has too often remained a side-show, sometimes considered a “black art” only for the properly initiated. Recently, threat modeling has received a lot of public notice and discussion. Threat models are a topic du jour. OWASP added “secure design” to its Top 10. Presidents suddenly seem interested (Executive Order 1408). Experts seem to be coming out of the woodwork.But do these erstwhile experts actually know what they’re talking about? How would someone without a
We have more and more setups where products are built on internally provided “platforms”. For example an AWS-based microservice environment that products can use to build their microservice-based products upon. These platform covers parts of the countermeasures but some of them have to be covered by product.Another example is that AWS accounts that are used by products are not empty and free configurable accounts but part of our AWS organization where several things are preconfigured and/or enforced by SCP (Service Control Policy). For example the whole CloudTrail logging is configured and enforced centrally.We looked into IriusRisk templates but according to my understanding this is a one-shot approach and further evolution of he “platform” can’t be synced into the products using it.We internally now found a solution by using an Excel and a Python script that generates a rules library xml that we import into IriusRisk to trigger rules that set certain countermeasures automatically to
Hi all, a while ago I stumbled upon this Stackoverflow blog post on the importance of reading into cutting edge research in computer science:https://stackoverflow.blog/2022/04/07/you-should-be-reading-academic-computer-science-papers/I believe the above blog post motivates the importance of reading past tutorials if you want to become good at your field. You should also check out https://paperswelove.org/ by the way.On the other hand, I have missed from this list of papers that would be relevant for threat modelling one way or the other. So I just wanted to kick-off this thread to collect papers what we love / would love to recommend on threat modeling or on some related area like risk mgmt. Papers which might add a bit more than anecdotal commentary on what seemed to work for the one or the other colleague. Too often I have found that once someone starts to describe “what worked for them” it soon turns into a justification of their current state of practice - for the better of or wors
🔔 Stay connected
Start a conversation
Validate your ideas, share resources, get feedback from your peers and experts.Make a post
Create your account
Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.Create an account
Log in with LinkedIn
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.