A New Hope for Threat Modeling, on The CyberTuesday Podcast
Adam was on the CyberTuesday podcastI recently had the pleasure of joining Simon Whittaker on the CyberTuesday podcast for a wide-ranging discussion about threat modeling and organizational culture. I wanted to share some key themes we explored.
One of the core messages I emphasized is how we can make threat modeling more accessible. If you’ve read my recent blog post on Hoarding, Debt and Threat Modeling, you’ll hear me reiterate how people often try to model everything at once and get overwhelmed in the process. Instead, I advocate for starting with four simple questions:
1. What are we working on?
2. What can go wrong?
3. What are we going to do about it?
4. Did we do a good job?
The Four Question Framework is a structured and repeatable set of questions that then opens the door for anyone to threat model.
Simon and I also dove into how security integrates with modern development practices in organizations. There's often a tension between rapid deployment and security considerations, but it doesn't have to be this way. We talked about focusing security efforts on hard-to-reverse decisions like APIs and protocols. And as development ramps up, we can empower developers to handle security considerations throughout the decision-making process. I appreciated Simon's thoughtful questions about organizational culture and how it impacts security.
You can find the full episode of CyberTuesday on YouTube. Thanks to Simon and the CyberTuesday team for having me on!