Threat-Modeling.net
⛈️☂️(⛈️☂️) Threat Modeling of Threat Modeling #meta
Yes, threat modeling is important, but how can we make it a success? What can go wrong? What are we going to do
about it? This project threat models threat modeling
#meta.
Threat Model: Latest Version
PDF Version history
Reception
- Insightful pre-release conversation
about the project at the OWASP #threat-modeling slack channel
- Launch post and discussion at the
OWASP #threat-modeling slack channel
-
Talking about the project at the Application Security Podcast with Chris Romeo and Robert Hurlbut:
Topics discussed in this episode
- Hendrik's security origin story
- What makes threat modeling a success?
- Why do vendors totally need threat modeling?
- Struggles when introducing threat modeling
- Motivation behind the project
- VISUS journey
- Generalized, extended and published analysis for a public audience
- How this project might help practicioners get inspired and build better threat modeling programs
- How to threat-model a process?
- Why add phase 0 "How do we threat-model?"
- Some challenges of getting started
- Discussing some of the first topics of the analysis:
- 0️⃣ 🧩 Develop software without threat modeling (May serve as motivation): [0.1] ⛈️ [0.1.1]
Blindness, ⛈️ [0.1.2] Insecurity, ⛈️ [0.1.3] Actual Damage
- 🧩 Design Threat Modeling process (how) [0.3]: ⛈️ [0.3.2] Perfect process trap, ⛈️ [0.3.6]
Non-actionable process
- 🧩 Train and Launch Threat Modeling program [0.5]: ⛈️ [0.5.1] Lack of training, ⛈️ [0.5.2] Too
theoretical training
- 🧩 Catch up on threat models for existing products [1.1]: ⛈️ [1.1.1] Threat modeling a “giant”
- 🧩 Threat model new developments [1.2]: ⛈️ [1.2.1] Outdated threat models, ⛈️ [1.2.4] Mitigation
debt / Security later & “later=never” anti-pattern
- (Not covering anything from 2️⃣ “What can go wrong?” Phase / 3️⃣ “What are we going to do about
it?” Phase / 4️⃣ “Did we do a good (enough) job?” Phase / *️⃣ Overarching aspects. The goal of
the podcast episode was to introduce the project.)
- Call to Action from Chris and Hendrik: Please read, get inspired and give feedback!
- Lightning round
Video podcast
version at
YouTube
Audio podcast version with all the platform links
Banner image
Feedback?
Please reach out, so that I can improve this work!
https://hendrik.ewerlin.com/security/
A detailed call for feedback is at the bottom of the document.
I'm also working on a Community twin project... Stay tuned!