Meet & Greet Your Peers 🤗

  • 20 September 2022
  • 33 replies
  • 794 views
Show first post

33 replies

irene221b
Rank
Userlevel 3
Badge

 

Welcome @Roger_RPC and congratulations on beginning the journey. We all started somewhere, don’t we? Curious - which 450-page TM book your manager gave you and that you faithfully finished?

Congrats, @Roger_RPC , you’ll have a lot of fun. 🙂 I’ve started in a very similar way in 2010 so at least I know it’s possible to bootstrap with a book. 

Thanks for the assurance @irene221b 🤗 With which book did you bootstrap learning about TM?

 

😂 It’s a mystery! I was going to say “Of course it was Adam's book”, but now I see it wasn’t available until 2014, so I don’t understand how we ever managed to do threat modelling. 

R
Rank
Userlevel 1
Badge

@irene221b 450 was a bit overstated. But, the book in question is Threat Modeling by Frank Swiderski & Window Snyder © 2004 (250pp). I am also using the 2021 Threat Modeling Framework by The Mitre Corporation. 

I’ve been in this capacity for about a month and by no means would I say I have faithfully finished it. Rather, it’s a point of reference. 

I will say, to help hone my skills as quickly as possible, I am creating a video training series for our developers and that is helping immensely. In the series I take bite-sized pieces (3-5 min videos) to cover what I learned for the week (How to install, where to find help when you’re stuck, what is the STRIDE methodology, etc.). 

I’m thankful for this community and all the help I can get -- it’s a much bigger task than I was initially expecting. *smile* 

JSnurka
Rank
Userlevel 1

Howdy everyone!

Did that sound Western enough?  My name is Jon Snurka and I’m from Denver, Colorado.  I’m brand new to Threat Modeling.  I manage a team of Security Risk Assessment engineers and you’ll probably see a few of them pop up in these forums.

We just purchased IriusRisk and are working on configuring before tackling our first TM.  I hope to learn from this community because I’ve been told that TM is a “Shiny object” at work and it shouldn’t be my team’s priority.  I beg to differ because catching issues earlier is always better.

When not working, I’m riding my bike, reading, playing D&D or doing something else outdoors.  Colorado is the place to be!

Looking forward to connecting to everyone.

Jon

Shuning
Rank
Userlevel 6

Howdy everyone!

Did that sound Western enough?  My name is Jon Snurka and I’m from Denver, Colorado.  I’m brand new to Threat Modeling.  I manage a team of Security Risk Assessment engineers and you’ll probably see a few of them pop up in these forums.

We just purchased IriusRisk and are working on configuring before tackling our first TM.  I hope to learn from this community because I’ve been told that TM is a “Shiny object” at work and it shouldn’t be my team’s priority.  I beg to differ because catching issues earlier is always better.

When not working, I’m riding my bike, reading, playing D&D or doing something else outdoors.  Colorado is the place to be!

Looking forward to connecting to everyone.

Jon

Howdy Jon!

It’s great to have you in Threat Modeling Connect and welcome to the world of threat modeling! As a community, we believe that any expert in anything was once a beginner, and we’re glad to be a part of the beginning of your threat modeling journey! 😊

Given your background and expertise in risk management, there are two great guides you may be interested in (created by @fixbits and @mario.platt, leading TM practitioner with a wealth of experience in risk management). They should give you a great overview and some ideas on how TM can be connected and support the existing efforts of your team. Give them a read and share your thoughts, questions, ideas with us!

Congratulations on embarking on your TM journey! Bon voyage 🚢

~Shuning @Threat Modeling Connect~
Pete60
Rank

Hi Everyone,

Found the group by pure accident on a day looking for threat modelling resources.

I presently work in the public sector as a Security Advisor and live in the Highlands in Northern Scotland.

I adopted STRIDE a number of years ago both using the Microsoft tool and applying it manually to data flow diagrams.

Working in agile style programmes of work I have evolved my use of STRIDE and manually collate results for each connection into ‘Acceptance Criteria’ which then weaves into an agile story rather than inventing security stories which I have found are not taken as seriously by the business.

Keen to evolve my use of Threat Modelling within an Azure environment but struggled with the Microsoft tool which generated a forest of useful information which was difficult for the projects to digest or get traction on.

My present manual overlay of STRIDE elements on a Data flow diagram is well received but does take time and it would be nice to merge it with NIST CSF so that I have both threats and risks mapped easily rather than always requiring me to join the dots up.

When not threat modelling I am found walking along the Caledonian canal which is on my doorstep or assisting my partner in the garden mowing my very English lawn that just so happens to be in Scotland!

Looking forward to collaborating with everyone, stay safe, Pete

Shuning
Rank
Userlevel 6

Hi Everyone,

Found the group by pure accident on a day looking for threat modelling resources.

I presently work in the public sector as a Security Advisor and live in the Highlands in Northern Scotland.

I adopted STRIDE a number of years ago both using the Microsoft tool and applying it manually to data flow diagrams.

Working in agile style programmes of work I have evolved my use of STRIDE and manually collate results for each connection into ‘Acceptance Criteria’ which then weaves into an agile story rather than inventing security stories which I have found are not taken as seriously by the business.

Keen to evolve my use of Threat Modelling within an Azure environment but struggled with the Microsoft tool which generated a forest of useful information which was difficult for the projects to digest or get traction on.

My present manual overlay of STRIDE elements on a Data flow diagram is well received but does take time and it would be nice to merge it with NIST CSF so that I have both threats and risks mapped easily rather than always requiring me to join the dots up.

When not threat modelling I am found walking along the Caledonian canal which is on my doorstep or assisting my partner in the garden mowing my very English lawn that just so happens to be in Scotland!

Looking forward to collaborating with everyone, stay safe, Pete

Welcome to the community @Pete60, thank you for introducing yourself! It seems that you’re further along on your threat modeling journey. Speaking of agile threat modeling, @stevespringett, one of our founding members, may have some experience and insight to share :)

~Shuning @Threat Modeling Connect~
P
Rank
Userlevel 1

Hello, Hallo, HiHao, 🙏 Nameste,

My name is Prasanna, I am working as a Security Architect in an automotive industry in Germany. Learning by doing, is my way of gaining experience, according to my knowledge “threat modeling is an art”, which needs practice and patience to get better at it and continuously improving it. This community 🏆is a great initiative, very encouraging and helpful. I will contribute whatever possible and I hope 🙏 all my questions gets answered 😎. Will share my ideas and expecting feedbacks and suggestions.

📝I am all up for learning more about how everyone does TM. Stride, Pasta, Trike, Linddun and more..

✈ When I am not doing TM, I will be traveling.

My suggestion / idea is to have threat modeling contest which will make us all engage with more interest and present their case which invites more collaboration, ideas sharing, taking suggestions and feedbacks.

 

Cheers 👍

Prasanna

lutfumertceylan
Rank

Hello everyone, merhabalar, bonjour!

 

I am Lütfü Mert Ceylan, a Security Researcher, especially specialize in the Web Application field of Cybersecurity. I am an OWASP Project Leader and owner of the OWASP Top 25 Parameters project. I am also the OWASP Poland Chapter Board Member and the founder of TR Bug Hunters, Turkey's active security researcher & bug hunter community.

I also thank this valuable community by I heard about it thanks to Ms. Shuning Hsu and would be pleased to be a part of it. Because of that I am a speaker at the OWASP Global AppSec DC 23 conference, which will be held the day after this year's Threat Modcon 2023, I will be pleased to be with you and meet you, valuable people, on the day of the conference, as per your invitation :-)

I am specifically focused about Server-side and client-side attacks. I am actively involved in the bug bounty field and I have helped detect and exploit over 500 security vulnerabilities across 75+ web applications for companies such as Apple, Oracle, Adobe, Mozilla, United Nations, European Union and 30+ more prestigious companies and organizations, then included their Hall of Fame. Also in the field of cybersecurity, I actively write articles and writes complex code snippets with Javascript, such as creating XSS payloads with cuneiform.

I have a news article in Portswigger about the CVE record of a vulnerability I discovered. Currently, I am studying at the Warsaw University of Technology and I live in Warsaw, Poland but in my homeland during the remaining period of my education I live in Bursa, Turkey. So, I'm based in Karacabey Turkey, we have a cattle farm and so, we do farming. Therefore, I love animals very much. I have also been doing professional motocross since my childhood.

However, since I have been working as a freelance security researcher since I was 15 years old and now I am 19 years old, I currently live my life by constantly traveling and changing countries. That's why I can say that when and where I will be very spontaneous 😁

 

@lutfumertceylan (Twitter) | /in/lutfumertceylan/ (LinkedIn)

Reply


Terms and Conditions, Community Guidelines and Privacy.Cookie settings
V2