Shostack + Friends Blog


Threat Modeling for Security Champs

Our next open course is in just a few weeks! A banner for the course threat modeling for security champs

Threat modeling often fails because it seems like a game of ‘ask two experts, get three answers.’ (And let's be honest, some days people feel lucky that it stops at three.)

One of the keys to scaling threat modeling (and software security more generally) is consistency. Ensuring that your champs have the skills, beliefs and attitudes to support a threat modeling program at scale.

Because we saw that fail so often, we built a course, Threat Modeling For Security Champs, that’s all about consistency. How do we introduce threat modeling? How do we encourage people to do useful work in useful ways? In class today, someone shared a story about a security champ who asked them to focus on the use case, “what if someone's username and password were stolen? What would we do then?”

Maybe that champ would tell a different story? Maybe they tried to push for multi-factor authentication? Maybe they wanted to think about misuse detection? I don't know, but more importantly, my student didn’t know.

That’s why getting your champs to consistency is sooo important. You leave with partners, not confusion.

Our next open Champs course kicks off in just a few weeks, on October 3, and we have some seats remaining, so we’re sharing a last early bird coupon for 15% off: Use eboct301-15 when you sign up at Threat Modeling for Security Champs, and we hope to see you there!