Here’s a highlights reel of last Friday’s [10-30-20] CISO Series Video Chat “Hacking Bad Threat Modeling: An hour of critical thinking about the worst ways to identify what could go wrong”.
Joining me in this discussion were:
- Archie Agarwal (@myappsecurity), CEO, ThreatModeler Software
- Adam Shostack (@adamshostack), Author, “Threat Modeling: Designing for Security”
Got feedback? Join the conversation on LinkedIn.
Special thanks to our sponsor, ThreatModeler Software
Best Bad Ideas
We got a nice load of 41 bad ideas for this week’s CISO Series Video Chat. While Scott Sheahan, product cybersecurity engineer took top prize and one of the other honorable mentions.
“Our company doesn’t practice threat modeling. We hire our developers from Stanford.” – Scott Sheahan, product cybersecurity engineer
“Print your threats on t-shirts. Host a fashion show with them. Call it threat modeling.” – Roland Gharfine, InfoSec officer, compliance manager, cybersecurity consultant, Invigo
Best quotes from the chat room
“I think risk makes more sense as a model in some situations more than others. If I’m providing cloud infrastructure I need to decide what to spend money on to fix, from side channel attacks to missing patches. That decision needs to be risk-based. If I’m developing code, it probably makes more sense to just fix everything you can.” – Rick Woodward, cyber security analyst, Gibbs & Cox
“There are only two ways to advance a football: run or pass. You can’t model for the over 1,000 plays you’d see in a season. You look at the two broad methods (run/pass) and then model what’s most likely.” – Dutch Schwartz, strategic lead, AWS Global Security Services Team, AWS
“Threat modeling requires a certain level of program maturity. Foundations required. Many orgs I have assisted really struggle with foundations, so it’s difficult to move them into the threat modeling approach, especially when they are struggling with simply having a solid risk management function.” – Thomas Torgerson, security consultant, Blue Cross Blue Shield of Alabama
“The business owns the risks, the CISO makes them aware of the risks and assists with managing it (mitigation). Not making the business aware of risks puts everyone in a bad place. “you didn’t tell me about this risk”. The business is behind the wheel.” – Thomas Torgerson, security consultant, Blue Cross Blue Shield of Alabama