Hi All;One of the issues that I run into constantly with threat modeling is the noise level. That is to say, many false positives.One way to look at this, I suppose, is that these false positives are an indication that you’ve cast a wide enough net.But this leads to hours tracking down the justification to write off these NA threats.(These false positives may also tend to overwhelm developers who are new to threat modeling - it is difficult to convince them that threat modeling works when they have to spend so much time weeding out the junk.) I tend to think that the answer to this is “better data”. However, given that threat modeling is *ideally* done as early in the SDLC as possible, when quality/rich/complete design data may not yet be available, how can one mitigate these false positives, and tune threat modeling to achieve higher quality, less noisy results? Looking for ideas here…thanks,-Bill
I am a complete FNG when it comes to threat modeling, I actually came across this page while researching TrustOnCloud control catalog and saw this. I am confused what is the difference between TrustonCloud, NowSecure, IriusRisk and Toreon. To me it looks like TrustonCloud gives you the info with the assumption you know WTH you are doing with the CSPs, while the other 3 provide tools to create ThreatModels and provide consultancy services. At least that is what I think I am seeing but not really knowing since this is all new to me. Any help would be greatly appreciated.
Hi - first post here.I’ve been using STRIDE for some time. Heard for the first time about “STRIDE-LM” at ThreatModCon23 but was not able to pin down its definition. I’ve since heard two possible definitions: LM = Lateral Movementor LM = Leaking, Masquerading Is there any consensus and does anyone know the origins of this addition/extension to the classic STRIDE?Thanks,-Bill
They say a picture is worth a thousands words and so including some kind of diagram in your threat modelling process likely aids in understanding the system being threat modelled. But some diagrams can end up looking like “spaghetti and meatballs”, depending on the complexity of the system.I thought would be interesting to take the pulse of the community on this topic, so we can better understand what approaches are being used.Note, if your threat modelling approach uses lots of diagrams, perhaps just answer for the scenario where you were forced to choose just one.
So I know the usual suspects, of course: @Adam Shostack's books, various YouTube channels (including from IriusRisk), the Threat Modelling Manifesto, and this forum..But let's say I want to become an "expert" in Threat Modelling… what can you recommend? Something on LinkedIn Learning, perhaps? Or by O'Reilly? Or is it simply a matter of getting up-to-speed on the primary literature and hands-on learning?
🔔 Stay connected
Start a conversation
Validate your ideas, share resources, get feedback from your peers and experts.Make a post
Create your account
Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.Create an account
Log in with LinkedIn
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.