Meet & Greet Your Peers 🤗

Hello, Ni-Hao, Konnichiwa, everyone!

I am the Global Lead of Community (aka community manager) at IriusRisk. I was new to threat modeling upon joining IriusRisk and found @adamshostack’s four questions enlightening! And then, I had the opportunity to work with @Brook Schoenfield on a webinar, where I asked him to illustrate the second question in Adam's four questions "what can go wrong." He brought up an analogy I'll forever remember: every driver, consciously or unconsciously, has a threat model in mind when they're on the road; we probably don't want to share the road with someone who doesn't. That's been how I explain my work to my friends who don't work in cybersecurity :-)

I'm based in Boston and live with my husband and our five-year-old rescue cat in a compact (400 square feet) apartment right at the heart of the city and have been studying and practicing the KonMari Method ever since! I've always enjoyed Asian cooking, and the pandemic led me to find new joy in cooking by cooking with the community. This summer, I hosted several gyoza, sushi, and soba nights for friends and family, and now I am ready for the nabei (hot pot) party to survive the upcoming 6-month winter in New England.

Big thumbs up for nabei 😆

Cheers, D

Hi all,

My first role in security was installing Guantlet firewalls on BSD Unix before the turn of the century :)  

Moved from that to pentesting and AppSec and enjoyed contributing to the OWASP ASVS, Testing Guide and Secure Dev Guide.  I was drawn to running threat modeling training and workshops during my consulting gigs and decided to build a tool for threat modeling with my co-founder Cristina Bentue in about 2014.

I am based in Jaca, northern Spain and on weekends I enjoy heading into the Pyrenees for day-hikes and in winter I’m learning nordic skiing but am still a complete newb.  Looking forward to working with you all!

Hello, вітаю, привет, שלום

I’m working at Neo4j as AppSec lead. I’ve started in threat modelling about 10 years ago, bootstrapping myself and my team using Adam’s book. 

Since then done lots of TM as a consultant before going back to in-house role, and speaking at conferences mostly teaching people to start threat modelling on existing projects. Did I come up with the “incremental” buzzword all by myself? If you think you’ve inspired me to this approach, give me a shout.

Worked with some of you on the manifesto which was great fun, and hope to get to know more great people here.

And look who’s (fashionably?) late for the party! 

It is great to have a community we can all come together at. So much to discuss, share and discover. Can’t wait to see what we come up with next. (Rolls sleeves up) Where do we start?

Hey everyone. I'm really looking forward to sharing and learning from you all. I'll try not to create too many rabbit hole discussion :)

• Where you work, live, and your current role
  
  Nigel Hanson, working for Trimble Inc (20+ years, with a couple of “breaks” - ok, I left, but came back each time), based out of New Zealand but prior to Covid visited a lot of the world, currently AppSec specialist for our Global Security team.
   
• Your threat modeling experience, challenges, expertise - whether you’re just beginning or further down the journey, we’d love to hear more of your story
  
  My “aha” moment with TM was playing Elevation of Privilege with Adam Shostack (https://shostack.org/blog/lessons-learned-elevation-of-privilege/). 
  
  HUGE fan of
  - the 4 questions (it’s on my email signature)
  - Threat Modeling Manifesto (ESPECIALLY the anti-patterns).
  
  Believe you can threat model anywhere, anytime and try to take what can be overwhelming things like STRIDE and DREAD and refer to them as “just a potential picklist of things that could go wrong, together with a way to prioritise those things”.
   
• Where we can find you if you’re not threat modeling
  
  Well it’s almost summertime here in NZ, so outside with a BBQ and/or wine - or visiting some of the outdoor spaces that I finally started exploring when Covid hit and we could finally get access to (at affordable prices) when no tourists were allowed in the country 8-).

• 

   

   

Hi All,

Really happy to join this community of threat modelling experts. I am Robin, a fellow threat modeler and i hope to learn from you all as well as bring my contribution to the table where appropriate. 

你好 @EricWHart ! 歡迎你 :) Thanks for sharing the introduction to your threat modeling journey! I’m sure @adamshostack and @Chris Romeo will be proud to learn their work has made an impact in the programs and training you later created for your organization! Look forward to learning more about how the programs are going and your new learning/findings along the way! 

P.S. Glad to found another Chinese hot pot fan! In fact, we had three hot pot parties in a row over the past thanksgiving weekend in our household…welcome, the dark and long New England winter…!

///

Hello @nznigel ! Welcome to Threat Modeling Connect! Thanks for sharing your “aha moment” about threat modeling and the two helpful resources as you began threat modeling -- the Four Questions and the Threat Modeling Manifesto. As part of evangelizing the Four Questions, one of our founding members @JamesR wrote an article that summarizes this framework. We’d love to hear your thoughts and what you may add to that summary based on putting that framework into practice for years! 

P.S. Beautiful picture 💙⛰️! I hope you enjoy the summer and all the beauty and fun it has to offer before the tourists come back.

///

Benvenuto @simonec! Thank you for joining Threat Modeling Connect as a threat modeling veteran. Your experience working in AppSec across multiple industries is impressive. You must have a lot to share about the implications, unique or common challenges in each industry!

The Maturity Model for Threat Modeling you mentioned sounds super interesting, too! In fact, there’s a recent question in the community about seeking a Maturity Model framework. I think you may have some great insights and guidance to share! 

Looking forward to working/learning/collaborating with you more in this new community. Good luck on the new book! Keep us updated as you get into the threat modeling chapter!

///
Welcome @Robin! Thank you for joining us! Love your recent question about the maturity model. It’s a BIG topic and we’ll dedicate a few months next year specifically for this topic and will have articles, discussions, workshops about it. In the meantime, I’ll ask around and see what other members may have to share :)

///
Welcome aboard @loadenthal ! Glad to have you! Thank you for sharing with us your amazing work that extends threat modeling beyond software security. In fact, when we were developing the mission statement of Threat Modeling Connect a few months ago, @Chris Romeo @Brook Schoenfield @jt.infosec stressed that we want to make threat modeling a standard practice not just in software development. Seeing how you embedded threat modeling beyond the software/technology settings and extended it to the journalism and media, social work, etc is inspiring. Welcome again!

Willkommen, @biyahis42! Happy you are here and look forward to learning more about your stories working on threat modeling for the past 8 years (that’s a long time!). One of the founding members of this community, @Michael Bernhardt, is also from Germany and is leading the security program for one of the largest telecom companies there. He’s hosting the December community meetup next week that you may want to check out! 

Welcome again! Feel free to poke around in the community or start joining discussions! If you have any questions about the community in the meantime, feel free to DM me anytime 😊

¡Hola! Hi everyone!

I am the Team Leader of developers focused on Open Threat Model (aka OTM) at IriusRisk. We not olny work on improving OTM standard but also converting IaC, diagram, and other threat model formats to OTM by evolving Open Source Startleft parser.

I was introduced to threat modeling (thanks to @Adam Shostack’s useful 4-question framework) a few years ago. That said, my interest in cybersecurity dates back to 2012, especially on Ethical Hacking.

Whenever I started an ethical hacking project I always made myself the same question: better than waiting for pentesting to know if a system is secure or not, why not increasing its security in previous stages such as design or development? This will allow for getting the continuous feedback about the security of my code. So I won’t be in a reactive position to fix flaws; instead, I can be proactive and prevent the flaws in the beginning.

I would never have imagined at that time how interesting this journey will unfold in the following years but have enjoyed every part of it ever since.

I'm based in Canary Islands, Spain 🇪🇸, part from hitting the gym, I enjoy learning to write short tales in a writing workshop. I love pets and sometimes I enjoy preparing tiramisu as dessert.

Looking forward to meeting and learning with everyone in this community!

Greetings,

I am the TM SME for our company, and when I say SME, I mean my boss gave me a 450 page TM book and said, “Congratulations, you’re our TM SME.” I’m here to learn everything I can and welcome any advice, resources, or encouraging notes. 

When I’m not modeling, I am in school working towards my CEH certifications. Thanks for the add, advice, and connections. 

Welcome @Roger_RPC and congratulations on beginning the journey. We all started somewhere, don’t we? Curious - which 450-page TM book your manager gave you and that you faithfully finished?

Thanks for the assurance @irene221b 🤗 With which book did you bootstrap learning about TM?