#148 - Threat Modeling (with Adam Shostack)

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask:

1. What are we working on?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good enough job?

Big thanks to our sponsor:

Risk3Sixty - https://risk3sixty.com/whitepaper/

Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/

Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L

Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/

Transcripts: https://docs.google.com/document/d/1Tu0Xj9QTbVqbVJNMbNRam-FEUvfda3ZS

Chapters

• 00:00 Introduction
• 06:02 The 4 Questions that allow you to measure twice cut once
• 09:29 How Data Flow Diagrams help teams
• 16:04 It's more than just looking at threats
• 19:23 Chasing the most fluid thing or the most worrisome thing
• 22:00 All models are wrong and some are useful
• 26:25 Actionable Remediation
• 31:05 LLMs and Threat Models