Threat Modeling Insider – December 2023

Written by Süleyman Yilmaz

Threat Modeling Insider Newsletter

30th Edition – December 2023

Welcome!

We’re back once again with another packed edition of our Threat Modeling Insider! This month’s edition features a guest article by Chris Romeo, CEO & co-founder of Devici, where he talks about the world’s first Threat Modeling Conference. Additionally, our very own Sebastien Deleersnyder has collected the key insights from the recent Risk Match webinar on Navigating the Future of AI Security, organized by IriusRisk.

But that’s not all of course, let’s take a look at what else we have in store for this month’s edition:

Read our previous newsletters
Threat Modeling Insider edition

Welcome!

Threat Modeling Insider edition

We’re back once again with another packed edition of our Threat Modeling Insider! This month’s edition features a guest article by Chris Romeo, CEO & co-founder of Devici, where he talks about the world’s first Threat Modeling Conference. Additionally, our very own Sebastien Deleersnyder has collected the key insights from the recent Risk Match webinar on Navigating the Future of AI Security, organized by IriusRisk.

But that’s not all of course, let’s take a look at what else we have in store for this month’s edition:

Read our previous newsletters

On this edition

Guest article
The World’s First Threat Modeling Conference
Written by Chris Romeo.

Toreon blog
Navigating the Future of AI Security
Written by Sebastien Deleersnyder

Curated content
Threat Modeling is now part of the NCSC’s guidance on Risk Management

Curated content
Scaling threat modeling in an organisation might require an order of threat modeling

Training update
An update on our upcoming training sessions.

GUEST ARTICLE

The World's First Threat Modeling Conference

Chris Romeo, CEO & co-founder of Devici

I was one of the founding members of the online community Threat Modeling Connect. During the initial conversations about what the community would become, I brainstormed with Shuning Hsu, the Community Leader. I let it drop that we should do a dedicated threat modeling conference. I volunteered to help lead it when the time was right. Shuning and I had another conversation a few months later, and the idea to host a conference was in full flight. I was officially on board as the Global Chair for the Threat Modeling Conference!

We gathered an advisory board to plan the conference and carry the leadership load. The conference committee included Izar Tarandach, Matt Coles, Brook Schoenfield, Irene Michlin, Sandy Blackwell, Chris Ramirez, and Zoe Braiterman. We joined forces as a threat modeling committee to assemble the best and most educational event on threat modeling, put together by the best and brightest in the world of threat modeling!

We spent months planning out every logistical detail, reviewing each speaking submission, and building an excellent program of a keynote, talks, and workshops. All this hard work resulted from an event that I could only describe as “magical.”

The day was magical, from the twelve sessions covering seven themes of threat modeling to the Birds-of-a-feather discussions over lunch. The threat modeling community was together in one place for the first time, and I heard from multiple people at the event that this was the first time they ever felt like they had peers to discuss threat modeling with. From hallway discussions to networking with the people you were sitting next to, the threat modeling community was coming alive.

The day began with a “not-keynote keynote,” the brainchild of Matt Coles, entitled “Threat Modeling is for Everyone”. Matt assembled six speakers and tasked them with each describing via story what threat modeling means for them. No slides were allowed to ensure that the focus was on the story. Matt acted as the moderator and connector between people, and Seba Deleersnyder, Robert Hurlbut, Tanya Janca, Brook Schoenfield, and John Taylor graced the stage and shared their stories. After the stories, we had an open question-and-answer time with the audience and the keynote panel.

I’ve broken the rest of the day’s conference talks and workshops across seven themes. I’ll explore each theme and provide context about what you’ll find with these sessions.

Theme 1: How to start doing threat modeling.

Robert Hurlbut provided one of the workshops for the day,” Developing a Threat Modeling Mindset.” In this workshop, Robert provided a path for those new to threat modeling to experience the process and gain experience performing threat modeling. We wanted to ensure that we did not assume that all participants at the event had decades of experience. Our theme was “Threat Modeling is for Everyone,” so we had to ensure that we had a session to teach threat modeling from the ground up for those new to the discipline.

Theme 2: How to scale threat modeling practices

After setting up a threat modeling program and getting it rolling, scaling it quickly comes to the forefront. Folks must go from one threat model daily to one thousand, which requires scalability.

Brenna Leath and Lisa Cook shared their “Threat Modeling Program Milestones: A Journey to Scale” session, where they spoke about their efforts in growing and scaling a threat modeling program inside a big company. They distilled wisdom for companies big and small with scaling.

“The Hitchhiker’s Guide for Failing Threat Modeling” by Michael Bernhardt covers different approaches for succeeding with threat modeling by studying past things that have gone wrong. Michael parallels martial arts and threat modeling, which was a big win for me! I love when speakers flip the script and talk about how to ensure something fails. It’s a helpful way to think through the problems.

“From Threat Discussion to Completed Mitigation: Making your Threat Model Useful” By Jonathan (Jono) Sosulska was our second workshop. Jono focused on how to make the threat model useful by focusing on the mitigation. This workshop was aimed higher at intermediate-level threat modeling people, continuing our theme that threat modeling is for everyone.

Theme 3: How do you integrate threat modeling in agile development?

Geoff Hill introduced his RTMP methodology via a talk entitled “Being VERY Agile with Rapid Threat Model Prototyping (RTMP).” Geoff focused on how to apply threat modeling in an Agile software development structure. Everyone has gone Agile, so this was a timely talk for those considering how best to align threat modeling to an agile development methodology.

Theme 4: How to integrate privacy in Threat Modeling

Shifting Privacy In by Dr. Kim Wuyts reminded us that threat modeling is about security AND privacy. Privacy is essential; threat modeling can be used to implement privacy, and privacy and security threat modeling are friends. She described how security and privacy strengthen each other and require different mindsets but that combined analysis is more efficient than separate.

Theme 5: How to automate your threat modeling process

“Classic Brainstorming Threat Modeling VS Threat Modeling Tools: Lessons Learned” By Edouard Stoka helps us see the value of an automatic threat modeling process. Edward shares real-life experiences from running threat modeling at ADP. He describes how the best of both worlds is having an extensive collection of applications threat modeled by experts and having access to the best threat modeling tools.

Theme 6: How to leverage AI for threat modeling

AI is all the rage, so we had to have at least one talk that bridged AI and threat modeling. “Everyone is a Threat Modeler: An AI-Enabled Journey for Beginners” by Wael Ghandour was a session where Wael describes his journey experimenting with ChatGPT as a threat modeling tool.

Theme 7: What threat modeling means to our community

The community theme brings together two distinct talks that cover the community in vastly different ways.

With “The Threats to Our Community” by Avi Douglen, Avi applies STRIDE to building communities and exposes the threats we must look out for. He also shares practical ways to protect the communities we create to ensure they are inclusive for all.

In “Operational-Intersectional Threat Modeling: Adapting for IRL and Offline Application” by Dr. Michael Loadenthal, Dr. Loadenthal unlocks a new world of use cases for threat modeling beyond the typical technology product feature. He explains how threat modeling is not just for applications, networks, and digital systems and how, as a methodology and logic, it can have wide application in broader security work. He introduced us to how offline and traditional threat modeling can benefit from an intersectional, harm reduction-informed approach. (This session was not recorded for the event, but you can find Dr. Loadenthanl on an episode of the Threat Modeling Podcast entitled “.”

Conclusion

With the first-ever dedicated Threat Modeling Conference, a new movement has begun. Threat modeling people finally have a place to gather, share best practices, network, and connect.

Look towards the future and attend a Threat Modeling Conference. You’ll find peers to discuss the details of threat modeling and scaling a program, you’ll make new threat modeling friends, and you’ll help to move the practice of threat modeling forward!

CURATED CONTENT

Handpicked for you

Toreon Blog: Navigating the Future of AI Security: Insights from the Risk Match Webinar

Threat Modeling is now part of the NCSC's guidance on Risk Management

Dive into the dynamic world of AI security through our curated content from the recent Risk Match webinar. Industry leaders explore evolving risks, innovative security frameworks, and global regulations. Gain valuable insights into the future of AI security.

Read more

Explore threat modelling in cybersecurity risk management. This article from the NCSC guides you in analyzing technology systems, foreseeing issues, and implementing controls. Learn when to integrate threat modelling into development and risk processes. Discover key elements like understanding threat sources. Whether you’re a developer or security analyst, gain practical insights to enhance security.

Read more

Scaling threat modeling in an organisation might require an order of threat modeling

Explore NIST’s innovative Criticality Analysis Process Model (NISTIR 8179), reshaping asset prioritization for information security and privacy risk management. This model uniquely identifies and protects vital systems and components in the face of diverse threats and associated costs. Tailored for industry needs, it ensures a comprehensive understanding of asset criticality, addressing gaps in existing guidance.

Read more

Threat Modeling is now part of the NCSC's guidance on Risk Management

Explore threat modelling in cybersecurity risk management. This article from the NCSC guides you in analyzing technology systems, foreseeing issues, and implementing controls. Learn when to integrate threat modelling into development and risk processes. Discover key elements like understanding threat sources. Whether you’re a developer or security analyst, gain practical insights to enhance security.

Read more

Scaling threat modeling in an organisation might require an order of threat modeling

Explore NIST’s innovative Criticality Analysis Process Model (NISTIR 8179), reshaping asset prioritization for information security and privacy risk management. This model uniquely identifies and protects vital systems and components in the face of diverse threats and associated costs. Tailored for industry needs, it ensures a comprehensive understanding of asset criticality, addressing gaps in existing guidance.

Read more

Upcoming trainings & events

Book a seat in our upcoming trainings & events

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat Asia, Singapore

Next training date:
16-17 April 2024

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by BruCON Spring training, Belgium

Next training dates:
17-18 April 2024

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on:
13 May 2024

Book your spot
Book your spot
Book your spot

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat Asia, Singapore

Next training date:
16-17 April 2024

Book your spot

Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by BruCON Spring training, Belgium

Next training dates:
17-18 April 2024

Book your spot

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on:
13 May 2024

Book your spot

Threat Modeling Insider Newsletter

Delivering the latest Threat Modeling articles and tips straight to your mailbox.

Sign up now

Start typing and press Enter to search

Shopping Cart