Shostack + Friends Blog


When to Threat Model

A talk from the Biohacking Village at DefCon brought up a good point. screenshot from virtual talk discussed in the article

At the Biohacking Village at Defcon, there was an interesting talk on Includes No Dirt threat modeling. I thought this slide was particularly interesting. As threat modeling moves from an idea through pilots and deployments, and we develop the organizational disciplines of threat modeling, the question of 'when do we do this' comes up. There's good appsec focused answers like 'every sprint', or 'in line with your waterfall, but those answers aren't universal. For example, they don't help when you're thinking about your supply chain.

The talk by William Dogherty and Patrick Curry (shown) covers a lot of these organizational discipline factors, and this slide appears about 53 minutes in. The whole talk is worth watching.

My previous discussion of the approach overall is in Includes No Dirt: Healthcare Threat Modeling.