On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
Big thanks to our sponsor:
Risk3Sixty - https://risk3sixty.com/whitepaper/
Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/
Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L
Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/
- 00:00 Introduction
- 06:02 The 4 Questions that allow you to measure twice cut once
- 09:29 How Data Flow Diagrams help teams
- 16:04 It's more than just looking at threats
- 19:23 Chasing the most fluid thing or the most worrisome thing
- 22:00 All models are wrong and some are useful
- 26:25 Actionable Remediation
- 31:05 LLMs and Threat Models