AMA: Where can we learn Threat Modelling?

Where can we learn Threat Modelling?
  • Threat modelling, for those who are unaware, is a sort of ‘evil brainstorming’.
  • The question included “How can we learn by doing, not just reading?”
  • Play the game “Escalation of Privilege”, create by Adam Shostack
  • You can actually play online, for free! It just came online last week. Play online here.
  • She also mentions that you should play Backdoors and Breaches, however, that is an incident response card game. You should still play it, but it won’t teach you threat modelling. :-D
  • Every time there is a new project at work, meet with them for one hour and just *try* to threat model. It’s okay if it’s not perfect, if you identify just one risk you had not thought of, your sessions was productive.
  • Every time someone else at work is doing a threat model, sit in and “job shadow” them. Learning by watching and participating is a fantastic way to get in the middle of things.
  • Non-hands-on activities: 1) watch the many videos on this topic by several experts in the area, Adam Shostack, Avi Douglen, Tony UcedaVelez, Caroline Moeckel, Tash Norris, the list goes on and on.
  • Whiteboard designs with people and then ‘put on your black hat’ and take a look.
  • Ask the tech team (developers, architects, ops peeps), ‘If you were going to hack your app, how would you do it?” The answers may terrify you, but you’ll be happy you asked.
  • Read Tanya Janca’s numerous articles on the topic: Hacking Robots and Eating Sushi, Threat Modelling Serverless, and Threat Modelling.
  • Then we get a bit off topic and start talking about Azure DevOps and GitHub Actions…

For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

--

--

--

Tanya Janca’s Application Security Adventures #WeHackPurple

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Java — Heap & String Constant Pool (SCP) | Code Factory

OOP IN JAVA

“30 Days Of Flutter” with FlutLab: Code Party 11

What You Missed About Remote Work in 2020

HARD AND SOFT LINK

A Who’s Who Guide to Vice President Kamala Harris’ Family

The Ins & Outs of Queues in C++

Laravel 8.x Follow Unfollow Example From Scratch

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
SheHacksPurple

SheHacksPurple

Tanya Janca’s Application Security Adventures #WeHackPurple

More from Medium

Hacking Into Social Media Account using Social Engineering!

LAPSUS$ Shines Spotlight On Juvenile Extortionists

Project: Juice Shop Vulnerabilities Report

Cyber Apocalypse CTF 2022 — Puppeteer