Meet & Greet Your Peers 🤗

  • 20 September 2022
  • 22 replies
  • 402 views

Userlevel 4

Hello, hola, hallo, guten tag, bonjour, shalom…community!

One of the most exciting parts of your journey in Threat Modeling Connect is the opportunity to meet and work closely with the best and brightest (and kindest!) threat modeling professionals around the world. 

Let’s greet each other and share:

  • Where you work, live, and your current role
  • Your threat modeling experience, challenges, expertise - whether you’re just beginning or further down the journey, we’d love to hear more of your story
  • Where we can find you if you’re not threat modeling

We’ll get to know each other more along the way. This is just the beginning of something great :)


22 replies

Userlevel 4

Hello, Ni-Hao, Konnichiwa, everyone!

 

I am the Global Lead of Community (aka community manager) at IriusRisk. I was new to threat modeling upon joining IriusRisk and found @adamshostack’s four questions enlightening! And then, I had the opportunity to work with @Brook Schoenfield on a webinar, where I asked him to illustrate the second question in Adam's four questions "what can go wrong." He brought up an analogy I'll forever remember: every driver, consciously or unconsciously, has a threat model in mind when they're on the road; we probably don't want to share the road with someone who doesn't. That's been how I explain my work to my friends who don't work in cybersecurity :-)

I'm based in Boston and live with my husband and our five-year-old rescue cat in a compact (400 square feet) apartment right at the heart of the city and have been studying and practicing the KonMari Method ever since! I've always enjoyed Asian cooking, and the pandemic led me to find new joy in cooking by cooking with the community. This summer, I hosted several gyoza, sushi, and soba nights for friends and family, and now I am ready for the nabei (hot pot) party to survive the upcoming 6-month winter in New England.

Userlevel 3

@Shuning Lookout! I’m coming for dinner! Better warn the cat. 😋🤣😉

 

Userlevel 3

Big thumbs up for nabei 😆

Cheers, D

Userlevel 2

Thumb up on the whole list of foods and I could contribute to the dinner with a decent collections of Gins and Tonics if you were interested. Awaiting the pick-up invite for the event with the rightly assessed bus driver 😋

Userlevel 2

Hi all,

My first role in security was installing Guantlet firewalls on BSD Unix before the turn of the century :)  

Moved from that to pentesting and AppSec and enjoyed contributing to the OWASP ASVS, Testing Guide and Secure Dev Guide.  I was drawn to running threat modeling training and workshops during my consulting gigs and decided to build a tool for threat modeling with my co-founder Cristina Bentue in about 2014.

I am based in Jaca, northern Spain and on weekends I enjoy heading into the Pyrenees for day-hikes and in winter I’m learning nordic skiing but am still a complete newb.  Looking forward to working with you all!

 

 

Userlevel 2

Greetings Everyone - I have been working in threat modeling with organizations for almost 8 years. I began my career working with regional banking and healthcare and assessing different types of threat scenarios against their critical infrastructure. I certainly wish something like existed back then. Would have saved me a ton of time from trying to bootstrap my own methods. 

Looking forward to working with everyone to build out this community and share our experiences with each other. 

 

Userlevel 2

Hello, вітаю, привет, שלום

I’m working at Neo4j as AppSec lead. I’ve started in threat modelling about 10 years ago, bootstrapping myself and my team using Adam’s book. 

Since then done lots of TM as a consultant before going back to in-house role, and speaking at conferences mostly teaching people to start threat modelling on existing projects. Did I come up with the “incremental” buzzword all by myself? If you think you’ve inspired me to this approach, give me a shout.

Worked with some of you on the manifesto which was great fun, and hope to get to know more great people here.

Userlevel 4

Hello, вітаю, привет, שלום

I’m working at Neo4j as AppSec lead. I’ve started in threat modelling about 10 years ago, bootstrapping myself and my team using Adam’s book. 

Since then done lots of TM as a consultant before going back to in-house role, and speaking at conferences mostly teaching people to start threat modelling on existing projects. Did I come up with the “incremental” buzzword all by myself? If you think you’ve inspired me to this approach, give me a shout.

Worked with some of you on the manifesto which was great fun, and hope to get to know more great people here.

Welcome on board, @irene221b! Glad to have you here! Happy to meet another TM expert first inspired by @adamshostack’s book :) The “incremental” approach you champion for definitely makes threat modeling less intimidating.

Thank you for the input on demonstrating the value for threat modeling existing applications. For those who may have similar question “is it worth doing TM for existing apps?” check out Irene’s recommendation in that thread! 

Userlevel 2

And look who’s (fashionably?) late for the party! 

It is great to have a community we can all come together at. So much to discuss, share and discover. Can’t wait to see what we come up with next. (Rolls sleeves up) Where do we start?

Userlevel 4

And look who’s (fashionably?) late for the party! 

It is great to have a community we can all come together at. So much to discuss, share and discover. Can’t wait to see what we come up with next. (Rolls sleeves up) Where do we start?

Welcome aboard Izar! Thrilled to have you and can’t wait to see what you’ll be sharing, building, and creating with this global community 🤗

Userlevel 1

Hey everyone. I'm really looking forward to sharing and learning from you all. I'll try not to create too many rabbit hole discussion :)

Userlevel 2

Hey… you forgot Ni Hao. 你好! 

By the way, I LOVE Chinese Hot Pot and now is the perfect season for it. 

I took Adam Shostack’s course at DevSecCon in Boston in 2018 where I met other luminaries such as Caroline Wong and Jeff Williams. 

I brought Adam’s training to United Health Group and created an internal Security Champion program called Optum Security Advocate which was modeling (loosely) on Chris Romeo’s program he started at Cisco. 

I am also one of the founding members of the Triangle Chapter of the Cloud Security Alliance. 

Looking forward to connecting with everyone. 

Userlevel 2

 

  • Where you work, live, and your current role

    Nigel Hanson, working for Trimble Inc (20+ years, with a couple of “breaks” - ok, I left, but came back each time), based out of New Zealand but prior to Covid visited a lot of the world, currently AppSec specialist for our Global Security team.
     
  • Your threat modeling experience, challenges, expertise - whether you’re just beginning or further down the journey, we’d love to hear more of your story

    My “aha” moment with TM was playing Elevation of Privilege with Adam Shostack (https://shostack.org/blog/lessons-learned-elevation-of-privilege/). 

    HUGE fan of
    - the 4 questions (it’s on my email signature)
    - Threat Modeling Manifesto (ESPECIALLY the anti-patterns).

    Believe you can threat model anywhere, anytime and try to take what can be overwhelming things like STRIDE and DREAD and refer to them as “just a potential picklist of things that could go wrong, together with a way to prioritise those things”.
     
  • Where we can find you if you’re not threat modeling

    Well it’s almost summertime here in NZ, so outside with a BBQ and/or wine - or visiting some of the outdoor spaces that I finally started exploring when Covid hit and we could finally get access to (at affordable prices) when no tourists were allowed in the country 😎.
  •  

     

Userlevel 1

Hi all! I’m Simone Curzi, and I’m happy to join this community.

I am a Threat Modeling veteran, having started delivering it about 8 years ago. Having joined Microsoft since January 2000, I still work there a Principal Consultant specializing in Cybersecurity, Application Security and Threat Modeling. As such, I have accumulated a lot of knowledge about diverse customer Industries and scenarios, moving from Financial sector, to Manufacturing and Public sector.

I have been the leader of the internal Microsoft Community on Application Security for 5 years. I love to participate to international events. The collaboration I am most proud of is one with Altaz Valani, Hasan Yasar, Jack Freund, and Arun Prabhakar, which has led to the preparation of a study on a Maturity Model for Threat Modeling focused on Agility and Business Value. This study has culminated with a presentation at the (ISC)2 Security Congress in 2021.

My focus is to apply Continuous Learning and Continuous Improvement principles every time I can. For example, this has led me to start mad endeavors like developing tools for Threat Modeling because I wasn’t able to find a suitable tool to support the process I envisioned.

I live in a small city in the middle of Italy, and I have a wonderful family with my wife and my twin girls. Besides dedicating time to them, In the last months I have spent a lot of effort and of my free time working on a book with Michael Howard and Heinrich Gantenbein. It is not on Threat Modeling, but of course I have included chapter on our beloved practice. How could I not? :)

I look forward contributing to this community. I hope it will be instrumental in ensuring the healthiest growth of Threat Modeling in every organization around the globe!

Userlevel 2

Hi All,

Really happy to join this community of threat modelling experts. I am Robin, a fellow threat modeler and i hope to learn from you all as well as bring my contribution to the table where appropriate. 

Hello all

 

My name is Michael Loadenthal and I work coordinating some threat modeling and related security review projects for a few universities. We work to bring the methodology of ‘traditional’ TM (i.e., software, networks, etc.) to less traditional settings such as those applicable for journalists, human rights workers, activists, etc. I am specially interested in operational security and technological approaches to security utilized by violent non-state actors and specialize in the far-right.

 

I am based in Cincinnati, OH and serve a variety of employment roles including as a Postdoc Researcher for the Center for Cyber Strategy and Policy in the School of Public and International Affairs at the University of Cincinnati. I also work leading research teams for Princeton University’s Bridging Divides Initiative, and I also serve as the founder and Executive Director of the Prosecution Project where we track and analyze court cases involving political violence. We teach threat modeling--both the traditional and modified approaches--in all of these roles.

 

You can see some of my work here: https://michaelloadenthal.academia.edu/ and our team’s work https://theprosecutionproject.org/ and https://bridgingdivides.princeton.edu/

 

I am always looks for collaborators for new projects, opportunities to present, and ways to enrich the work that we’re doing. Feel free to get in touch!

 

Loadenml@ucmail.uc.edu | ml2283@princeton.edu | mLoadenthal (Twitter)

 

Userlevel 4

你好 @EricWHart ! 歡迎你 :) Thanks for sharing the introduction to your threat modeling journey! I’m sure @adamshostack and @Chris Romeo will be proud to learn their work has made an impact in the programs and training you later created for your organization! Look forward to learning more about how the programs are going and your new learning/findings along the way! 

P.S. Glad to found another Chinese hot pot fan! In fact, we had three hot pot parties in a row over the past thanksgiving weekend in our household…welcome, the dark and long New England winter…!


///

Hello @nznigel ! Welcome to Threat Modeling Connect! Thanks for sharing your “aha moment” about threat modeling and the two helpful resources as you began threat modeling -- the Four Questions and the Threat Modeling Manifesto. As part of evangelizing the Four Questions, one of our founding members @JamesR wrote an article that summarizes this framework. We’d love to hear your thoughts and what you may add to that summary based on putting that framework into practice for years! 

P.S. Beautiful picture 💙⛰️! I hope you enjoy the summer and all the beauty and fun it has to offer before the tourists come back.

///

Benvenuto @simonec! Thank you for joining Threat Modeling Connect as a threat modeling veteran. Your experience working in AppSec across multiple industries is impressive. You must have a lot to share about the implications, unique or common challenges in each industry!

The Maturity Model for Threat Modeling you mentioned sounds super interesting, too! In fact, there’s a recent question in the community about seeking a Maturity Model framework. I think you may have some great insights and guidance to share! 

Looking forward to working/learning/collaborating with you more in this new community. Good luck on the new book! Keep us updated as you get into the threat modeling chapter!

///
Welcome @Robin! Thank you for joining us! Love your recent question about the maturity model. It’s a BIG topic and we’ll dedicate a few months next year specifically for this topic and will have articles, discussions, workshops about it. In the meantime, I’ll ask around and see what other members may have to share :)

///
Welcome aboard @loadenthal ! Glad to have you! Thank you for sharing with us your amazing work that extends threat modeling beyond software security. In fact, when we were developing the mission statement of Threat Modeling Connect a few months ago, @Chris Romeo @Brook Schoenfield @jt.infosec stressed that we want to make threat modeling a standard practice not just in software development. Seeing how you embedded threat modeling beyond the software/technology settings and extended it to the journalism and media, social work, etc is inspiring. Welcome again!

Userlevel 1

Hello everyone,

really happy to join this threat modeling experts community. My name is Wilhelm and i’m based in Germany. I’m creating threat models and relevant approaches for 8 years now and looking forward to great conversions and also contributions from my site. 
 

Best regards
Wilhelm

 

 

 

 

 

Userlevel 4

Willkommen, @biyahis42! Happy you are here and look forward to learning more about your stories working on threat modeling for the past 8 years (that’s a long time!). One of the founding members of this community, @Michael Bernhardt, is also from Germany and is leading the security program for one of the largest telecom companies there. He’s hosting the December community meetup next week that you may want to check out! 

Welcome again! Feel free to poke around in the community or start joining discussions! If you have any questions about the community in the meantime, feel free to DM me anytime 😊

Userlevel 2

@biyahis42 Wilhelm, (not) long time! 😉 Good to see you again and happy to see you a part of the community! Let’s catch up in the next days.

Userlevel 1

¡Hola! Hi everyone!

 

I am the Team Leader of developers focused on Open Threat Model (aka OTM) at IriusRisk. We not olny work on improving OTM standard but also converting IaC, diagram, and other threat model formats to OTM by evolving Open Source Startleft parser.

I was introduced to threat modeling (thanks to @Adam Shostack’s useful 4-question framework) a few years ago. That said, my interest in cybersecurity dates back to 2012, especially on Ethical Hacking.

Whenever I started an ethical hacking project I always made myself the same question: better than waiting for pentesting to know if a system is secure or not, why not increasing its security in previous stages such as design or development? This will allow for getting the continuous feedback about the security of my code. So I won’t be in a reactive position to fix flaws; instead, I can be proactive and prevent the flaws in the beginning.

I would never have imagined at that time how interesting this journey will unfold in the following years but have enjoyed every part of it ever since.

I'm based in Canary Islands, Spain 🇪🇸, part from hitting the gym, I enjoy learning to write short tales in a writing workshop. I love pets and sometimes I enjoy preparing tiramisu as dessert.

Looking forward to meeting and learning with everyone in this community!

Userlevel 1

There is no concept of one size fits all approach to Threat Modeling!

The Threat Modeling Manifesto authored by Adam Shostack,Zoe Braiterman,Brook S.E.Schoenfield ,Robert Hurlbut, Jonathan Marcil and other security experts emphasizing the following values is the foundation to implement and execute a successful Threat Modeling Program 

  1. A culture of finding and fixing design issues over checkbox compliance.
  1. People and collaboration over processes, methodologies, and tools.
  2. A journey of understanding over a security or privacy snapshot.
  3. Doing threat modeling over talking about it. Continuous refinement over a single delivery. 

Threat Modeling Connect is a think tank for the security community to learn ,exchange and adopt to the best security practices. 

My name is Sai , based out of Bangalore (India). I am in the industry for over a year and pursuing Research in Threat Modeling & Risk Analysis for the future of the global automotive industry.

Looking forward to learn and share the experiences with the community!

Reply