Topics discussed in this episode
- Hendrik's security origin story
- What makes threat modeling a success?
- Why do vendors totally need threat modeling?
- Struggles when introducing threat modeling
- Motivation behind the project
- VISUS journey
- Generalized, extended and published analysis for a public audience
- How this project might help practicioners get inspired and build better threat modeling programs
- How to threat-model a process?
- Why add phase 0 "How do we threat-model?"
- Some challenges of getting started
- Discussing some of the first topics of the analysis:
- 0️⃣ 🧩 Develop software without threat modeling (May serve as motivation): [0.1] ⛈️ [0.1.1] Blindness, ⛈️ [0.1.2] Insecurity, ⛈️ [0.1.3] Actual Damage
- 🧩 Design Threat Modeling process (how) [0.3]: ⛈️ [0.3.2] Perfect process trap, ⛈️ [0.3.6] Non-actionable process
- 🧩 Train and Launch Threat Modeling program [0.5]: ⛈️ [0.5.1] Lack of training, ⛈️ [0.5.2] Too theoretical training
- 🧩 Catch up on threat models for existing products [1.1]: ⛈️ [1.1.1] Threat modeling a “giant”
- 🧩 Threat model new developments [1.2]: ⛈️ [1.2.1] Outdated threat models, ⛈️ [1.2.4] Mitigation debt / Security later & “later=never” anti-pattern
- (Not covering anything from 2️⃣ “What can go wrong?” Phase / 3️⃣ “What are we going to do about it?” Phase / 4️⃣ “Did we do a good (enough) job?” Phase / *️⃣ Overarching aspects. The goal of the podcast episode was to introduce the project.)
- Call to Action from Chris and Hendrik: Please read, get inspired and give feedback!
- Lightning round
Video podcast version at YouTube
Audio podcast version with all the platform links
