Shostack + Friends Blog

Layered Defenses at BSides Seattle

How do we use models to help us answer what are we going to do?

Thanks to everyone who came out to my BSides Seattle talk on Friday. We’d love to continue the conversation about ways to help people use structures to explore and design defenses.

BSides participants definitely had a lot of different perspectives, some asking about using complex and deep models like MITRE D3FEND, and others emphasizing for a need for simplicity to improve non-security engineers' adoption. We didn't come out of the presentation with One Model To Rule Them All but a thoughtful discussion on the fact that which model works best relates both to the people using it and many facets of the organization including their security maturity, the type of work they do and more — so maybe we need a menu of models for an organization to choose from.

If you missed it, the slides are here. We thought about setting up a Google form so we can read all your replies, and we think that it'll be a better conversation if we enable a conversation. So please use either Linkedin here or the OWASP Slack, #threat-modeling here.

Originally published by Adam on 02 Mar 2026
Categories: conferences presentations security threat modeling

Our Favorite Content

General threat modeling posts

The Security Principles of Saltzer and Schroeder, illustrated with Star Wars

Subscribe (RSS/Mail)

RSS/ATOM: The RSS feed is here. We recommend RSS as the best way to follow this blog, and think generally RSS is the best way to take control of the information you take in. You can read our thinking here.

Email: If you’d like a lower volume set of updates on what Adam is doing, Adam’s New Thing gets only a few messages a year, guaranteed. We include a subset of posts in each.