Introduce yourself! 👋

Welcome to the TMC forum! We want to get to know you.

Threat modeling, like any craft, is a journey. We all started somewhere, and no two paths look the same.

Use this thread to introduce yourself and share your story:

• How did you first get into threat modeling?
• What’s a moment you’re especially proud of in your journey?
• Who or what inspired you along the way?

Whether you’re just starting out or have been at it for years, your story is unique and adds to our shared journey.

So…what’s your name, where are you based, and where did it all begin for you?

Hi! Adam Shostack here. I’ve written a couple of books on the topic (Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars), created the Elevation of Privilege game, and now run Shostack + Associates to help folks threat model.

Hello everyone! I’m Fraser Scott. I’ve been involved in threat modeling for about 10 years now. I initially got started with it in order to ensure a open source security project was secure by design, and made an attempt at implementing a code-friendly way of documenting threat models in the form of ThreatSpec. I then worked for a large US bank where I was doing cloud security and then spent a few years rolling out an enterprise threat modeling program focusing on education and process. I now work at IriusRisk as VP Product to ensure we’re making threat modeling easy and scalable for everyone.

Hello Everyone!
Amit Sharma here. I have been in the industry for more than a decade and have servered various roles and have worked with various clients in my different jobs. Here is my linkedin profile for more infromation. Amit Sharma - ASR | LinkedIn

I was introduced to Threat Modeling back then in 2010 and was intrigued by then with Microsoft threat modeling tool and content. Then I came across Adam and his work in the area which got me interested further in this field and it was great to learn along the way. Feel free to ping me if you want to talk about threat modeling but also other topics including but not limited to cybersecurity Given my interest in threat modeling and immense love towards it , I am also contributing to build up the community and a moderator of the forum.

Hi there! I’m Qasim, a cybersecurity enthusiast with over two decades of experience navigating software development, solution architecture, and mostly cybersecurity architecture. For the past six years, I’ve been deeply immersed in threat modeling and security architecture particularly within the financial and manufacturing sectors. My areas of interest within threat modeling includes but not limited to threat modeling maturity, institutionalizing the practice, as well as training and automation.
I’m excited to connect with this amazing community where I can share my experiences as well learn from others.

Hello all, I am Jason Nelson and I threat model and build threat modeling programs. This is going to a great opportunity to share ideas and learn from each other.
I have been threat modeling for over 7 years by name and have recently started my own company to help businesses build their own threat modeling programs.

Hi! I’m @Dave Soldera and I’ve spent the last decade doing Security Architecture with a focus on threat modelling. In the last couple of years I’ve open-sourced my own approach to threat modelling and developed a tool called threatware. I’ve always been a fan of integrating security early into an SDLC and believe threat modelling is the best tool to do that.

I’m looking forward to learning more from the community and getting involved in helping the community raise the bar for threat modelling as a security activity that delivers value for all.

I’m also helping out on this forum as a moderator, so if there is anything I can do to help, please feel free to reach out.

Hi everyone! I am Robert Hurlbut. I first learned about Threat Modeling in 2004 from reading Frank Swiderski’s and Window Snyder’s book by the same name. I was a full-time developer/architect then, and the techniques and approaches resonated with me. I started applying Threat Modeling to my work and working with developer teams. For the last 10+ years, I have focused on helping organizations learn about and build Threat Modeling programs. In 2016, I started the Threat Modeling program at Bank of America, and in 2017, I continued to lead the program until late 2021. I then joined Aquia, a small cybersecurity consulting company, where I continue to lead and build Threat Modeling programs for customers, primarily in the public sector.

Since Threat Modeling Connect started, I have enjoyed getting to know the wider community, learning from them, and sharing with others.

Hi y’all! My experience is a tad wonky. I cut my teeth on modeling efforts in 2006 as a counter terrorism modeler, which looked at organizations as systems of systems. This taught me many transferable skills which includes system of systems analysis, root cause analysis, threat modeling, and policy writing. I transitioned to the cyber domain in 2015 as I began the challenge of tackling the malign use of cyber infrastructure and technologies with regards to nation-state actors. I got the opportunity back in 2017 to do a rotation at the Pentagon engaging with the Defense Science Board, Joint Chiefs of Staff, and other principles on cybersecurity matters. While I was a researcher with MITRE I focused on championing threat-informed cybersecurity policies, conducting real-world threat model assessments on critical infrastructure and supported functions, as well as supported efforts like MITRE ATT&CK and MITRE DEFEND.

Currently, I run the Threat Modeling program at MUFG Ltd. While the focus at the bank is geared towards application security (per Federal Reserve requirement), I am trying to get more buy in on using threat modeling techniques to prepare for red team activities, to model attack vectors, and to help assess organizational risk through a threat-informed approach.

My passions have been focused on working out a means to use NLP, NER, and LLM/ML to provide contextual tagging of threat information in an effort to automatically correlate actor, TTP, IOC, and mitigation to a list of declared assets. I know its a bit lofty, but it’s been a fun exercise in the art of the possible.

Hi

It started several years ago when I received an E-Mail from Axel: “Here’s some influencial Security books.” - “Threat Modeling - Designing for Security”? Sounds interesting! Bought. Read. Immediatelly thought: That’s so awesome! We must use this!

Meanwhile there were external consultants who brought us some STRIDE, Excel template and a {LOW, MEDIUM, HIGH, CRITICAL}² arbitrary risk rating scheme with all-critical bias.

We launched several Threat Modeling activities…

What I learned quickly is that people need actionable advice what to do, so I crafted our version 1 Threat Modeling process. This helped promote our Threat Modeling.

I got a second degree - Master IT Security. My master thesis was about “Usable and Secure End-To-End Encrypted Medical Image Link Shares”. I was especially happy that I could create and publish my Threat Model that I had done as part of the thesis. It was version 8. I had experimented quite a lot with different ways how to denote Threat Models. I ended up building my own solution with interconnected items, which later became the Threat Items Threat Modeling Template.

A few years later we decided to elevate our Threat Modeling efforts to the next level and craft our version 2 process. We wanted to cure certain issues that had gone wrong in the past - and improve.

When we designed our process, we asked ourselves “When we threat model… What can go wrong? What are we going to do about it?”. (Hey, isn’t that Threat Modeling?! )

I thought that this was a fun and insightful thing to share with the Community, so I translated, generalized and extended the project and published the () Threat Modeling of Threat Modeling #meta. I was interviewed about the project at the Application Security Podcast. And got to share the approach in a Meta Threat Modeling Threat Modeling Connect Community Meetup.

Now I’m working on a training lecture series “Security Ikea” that helps build developers’ Threat Modeling repertoire. I’m watching out for more opportunities to share the magic of Meta Threat Modeling and collect varied viewpoints.

I offer Threat Modeling training for vendors who want to start out.

And I always have an exciting private backlog with Threat Modeling projects… I publish at threat-modeling.net and here’s my Security bio.

Happy to connect!
Hendrik

Hello everyone! I am Gagan Rajput. I’ve been involved in threat modeling for about 6 years now. I got started when I started working as an application security engineer for enterprise applications. Over time the scope has increased/changed to include complex products and infrastructures (cloud, on-premise) while I’ve transitioned into a security architect role. The proudest moment for me in threat modeling was while working with a mature product team they themselves floated the idea of including the process of threat modeling into their code (threat modeling as code) while it was still in its nascent stage in the industry.
These days my challenges with threat modeling have evolved from how to threat model a specific system to designing different tiers of threat modeling processes for different tiers of teams (based on developer maturity, security hygiene, etc.), figuring out how to scale our processes and how to spread education/awareness about threatmodeling in more efficient ways.

@rajput.gagan Welcome! The work you have done around “designing different tiers of threat modeling processes for different tiers of teams” sounds really interesting! If you are happy to share more details (perhaps in the Techniques & Tooling section) than I think the community would be really interested to learn more.

Hey Dave,
Thanks! I will write a short summary for now. The different tiers align with our tiered product security methodology. Lower tiers being self-serve and needed 0/low engagement from security teams. We have different zero touch methods for different groups. For some teams/tiers (criteria based on team’s security maturity, product priority, resource(personnel and tooling) constraints, etc.) they do a ‘lightweight threat modeling’ approach where they basically answer ~7 questions. These questions are expanded (with added specific elements for our group/org needs) from the original 4 questions from Adam’s threat modeling book (what are they building, what can go wrong, etc. etc.). Ofcourse we have self service documentation, guidance, output formats/locations and some lightweight tooling to help folks. There are other teams who have a fairly mature ADR (architecture decison record) process where we’ve been able to inject ‘threat modeling/security consideration’ sections.
And we also have the ‘tier’ where a prodsec engineer works with teams on the usual threatmodeling engagement process (with our own in-house threatmodeler esque tooling or STRIDE based modeling).
We have tested a fair few additional tools/processes but those havent been rolled out due to one reason or another. Examples being: threatmodeling as code, leveraging AI/LLMs to speed up the lightweight threatmodeling approaches.

Hope this helps some more information to your question!

Hello all. Andrew Morehouse from Louisiana. All I’ve done is a couple of the hackathons here. That’s it.

Hi Gagan, ADR process to inject security suggestions is a great idea to enable secure by design culture.

Hallo all,
I am Prasanna, since 2004 my journey started with information security, real life threat modeling experience which I have done in multiple situations, example a telemarketing caller regularly makes annoying calls and disturbing my mom it was the period when Do Not Disturb option was not introduced so I applied a mitigation strategy by saying to the caller “the calls are getting traced and you can prolong the call and you will find cops knocking your doors soon”, to our surprise the warning (deterrent control mitigation) worked really well, my mom was happy no more spam calls. So solutions can be simple as along as it works and keeps the business running.

I have been long waiting for threat modeling community to share and learn, I am happy to be part of the winning team Spring Hackathon 2024. I like threat modeling business processes, identifying potential threats and suggest cost effective solutions to reduce the risks by introducing multiple layers of defense.

Hello all,

I am working as part of the DPO at a large insurance company in the EU.
Part of my work is the DPIA (data privacy impact assessment).
A big part of the DPIA is the risk assessment.
With a bit knowledge about it-sec I decided to have look into best practices there and try do adopt them to privacy.
Then i found the EoP extension and LINDDUN framework.
Now I try to improve the quality of our DPIA with proven threat modeling frameworks. So i am relativly new.

The most hard part is not to learn everything, its to get the acceptance of my customers (in the EU the DPO is not authorized to give instructions, we are just consultants). Also the translation into our native language is a bit of a problem (f.e. whats the benefit of privacy games, which need participation to success, when only a minority can read the cards).

Hi Voxan,
Great to hear that you found your way to the threat modeling community. Threat modeling is indeed the perfect approach for DPIAs.

Regarding acceptance of your customers: it can be a challenge. They tend to see threat modeling frameworks as more work, while actually it streamlines the process and gives them guidance, structure, and knowledge they normally would not have.
Threat modeling (as a security/privacy) engineering practice can help point out that DPIAs/risk assessments are not (just) done for compliance documentation reasons, but actually as a tool to make the product/feature better by design.

Hey Kim,
absolutly. I think it will be better, if we participate from begin on at a project. actual we have to pull up a lot of dpia, because the systems are older then the gdpr.