Podcasts about threat modeling designing

This talk will look at how systems are secured at a practical engineering level and the science of risk. As we try to engineer secure systems, what are we trying to achieve and how can we do that? Modern threat modeling offers some practical approaches we can apply today. The limits of those approaches are important, and we'll look at how risk management seems to be treated as an axiom, some history of risk as a discipline, and how we might use that history to build better risk management processes. About the speaker: Adam is the author of Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars. He's a leading expert on threat modeling, a consultant, expert witness, and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft.His accomplishments include:Helped create the CVE. Now an Emeritus member of the Advisory Board.Fixed Autorun for hundreds of millions of systemsLed the design and delivery of the Microsoft SDL Threat Modeling Tool (v3)Created the Elevation of Privilege threat modeling gameCo-authored The New School of Information SecurityBeyond consulting and training, Shostack serves as a member of the Blackhat Review Board, an advisor to a variety of companies and academic institutions, and an Affiliate Professor at the Paul G. Allen School of Computer Science and Engineering at the University of Washington.

“Even though usability and security tradeoffs will always be with us, we can get much smarter. Some of the techniques are really simple. For one, write everything down a user needs to do in order to use your app securely. Yeah, keep writing.”In this episode, we talk about:What is threat modeling and why should product teams and UX designers care about it? (Also check out Adam's first episode on Human-Centered Security).Focus on parts of the user journey where you might gain or lose customers: what tradeoffs between usability and security are you making here?Involve a cross-disciplinary team from the very beginning. This is critiical: “How do we get focused on the parts of the problem that matter so we don't spend forever on the wrong stuff?”Adam Shostack is an expert on threat modeling, having worked at Microsoft and currently running security consultancy Shostack + Associates. He is the author of The New School of Information Security, Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn From Star Wars. Adam's YouTube channel has entertaining videos that are also excellent resources for learning about threat modeling.

This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: Here's the Inherent Threats Whitepaper Adam's book, Threat Modeling: Designing for Security Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars We mention the Okta Breach - here's my writeup on it We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here Show Notes: https://securityweekly.com/esw-359

This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: Here's the Inherent Threats Whitepaper Adam's book, Threat Modeling: Designing for Security Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars We mention the Okta Breach - here's my writeup on it We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here Show Notes: https://securityweekly.com/esw-359

A clear pattern with startups getting funding this week are "autonomous" products and features. Automated detection engineering Autonomously map and predict malicious infrastructure ..."helps your workforce resolve their own security issues autonomously" automated remediation automated compliance management & reporting I'll believe it when I see it. Don't get me wrong, I think we're in desperate need of more automation when it comes to patching and security decision-making. I just don't think the majority of the market has the level of confidence necessary to trust security products to automate things without a human in the loop. The way LimaCharlie is going about it, with their new bi-directional functionality they're talking up right now, might work, as detections can be VERY specific and fine-grained. We've already seen a round of fully automated guardrail approaches (particularly in the Cloud) fail, however. My prediction? Either what we're seeing isn't truly automated, or it will become a part of the product that no one uses - like Metasploit Pro licenses.   We've talked about generative AI in a general sense on our podcast for years, but we haven't done many deep dives into specific security use cases. That ends with this interview, as we discuss how generative AI can improve SecOps with Ely Kahn. Some of the use cases are obvious, while others were a complete surprise to me. Check out this episode if you're looking for some ideas! This segment is sponsored by SentinelOne. Visit https://securityweekly.com/sentinelone to learn more about them!   This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: Here's the Inherent Threats Whitepaper Adam's book, Threat Modeling: Designing for Security Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars We mention the Okta Breach - here's my writeup on it We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-359

A clear pattern with startups getting funding this week are "autonomous" products and features. Automated detection engineering Autonomously map and predict malicious infrastructure ..."helps your workforce resolve their own security issues autonomously" automated remediation automated compliance management & reporting I'll believe it when I see it. Don't get me wrong, I think we're in desperate need of more automation when it comes to patching and security decision-making. I just don't think the majority of the market has the level of confidence necessary to trust security products to automate things without a human in the loop. The way LimaCharlie is going about it, with their new bi-directional functionality they're talking up right now, might work, as detections can be VERY specific and fine-grained. We've already seen a round of fully automated guardrail approaches (particularly in the Cloud) fail, however. My prediction? Either what we're seeing isn't truly automated, or it will become a part of the product that no one uses - like Metasploit Pro licenses.   We've talked about generative AI in a general sense on our podcast for years, but we haven't done many deep dives into specific security use cases. That ends with this interview, as we discuss how generative AI can improve SecOps with Ely Kahn. Some of the use cases are obvious, while others were a complete surprise to me. Check out this episode if you're looking for some ideas! This segment is sponsored by SentinelOne. Visit https://securityweekly.com/sentinelone to learn more about them!   This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats. Resources: Here's the Inherent Threats Whitepaper Adam's book, Threat Modeling: Designing for Security Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars We mention the Okta Breach - here's my writeup on it We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-359

Adam Shostack is widely known in the cybersecurity world for his pioneering work on disclosing and discussing computer vulnerabilities (the CVE  (common vulnerabilities and exposures) list). He also helped formalize and train leading approaches to threat modeling and wrote the foundational book on the subject (Threat Modeling: Designing for Security). In this OODAcast we seek lessons from Adam's career and experiences (which range from startups to nearly a decade at Microsoft, as well as the Blackhat review board, as well as being an Affiliate Professor at University of Washington).  We then dive deep into Adam's most recent book, Threats: What Every Engineer Should Learn from Star Wars Just what does Star Wars have to do with security engineering? Turns out the movies are full of analogies that can really underscore the importance of good design and operational security. The very beginning of A New Hope shows a space fight where the empire is seeking to recover data from a breach. The carrier of that breached data, R2-D2, makes it to the planet below. But somehow knows not to show a special recording to Luke, only to Obi-Wan. That is some high end identity management and authorization there. From this lens Star Wars is not just a space western, it is a cyber espionage thriller. Adam uses the many analogies from Star Wars to make good engineering concepts more memorable and in doing so is doing us all a service. For more see: Adam Shostack on LinkedIn Threats: What Every Engineer Should Learn from Star Wars Threat Modeling: Designing for Security

Adam is one the biggest threat modeling experts in the world, he is an advisor, a lecturer, a game designer, and the author of multiple books, including "Threat Modeling: Designing for Security". His latest book “Threats: What Every Engineer Should Learn From Star Wars” is available now: https://www.amazon.com/Threats-Every-Engineer-Should-Learn/dp/1119895162#:~:text=In%20Threats%3A%20What%20Every%20Engineer,how%20to%20develop%20secure%20systems.During our conversation, Adam mentioned a book by Csikszenmihality, which can be found here:https://www.amazon.com/Finding-Flow-Psychology-Engagement-Everyday-ebook/dp/B086SVQ1MJ/ref=sr_1_1?crid=132R6QL2KYRZU&keywords=finding+flow&qid=1675723854&sprefix=finding+flow%2Caps%2C166&sr=8-1He also mentioned a book called "Don't Bother Me Mom", which can be found here: https://www.amazon.com/Dont-Bother-Me-Mom-Im-Learning/dp/1557788588

In this episode, we talk about: Questions you should be asking to uncover information security threats early on in the design process. How to account for human behavior in a structured way as part of threat modeling (spoiler: this is not so different from what you are doing now). How to collaborate with an interdisciplinary team as part of an iterative design process to improve the user experience of security. Adam Stostack is an expert on threat modeling, having worked at Microsoft and currently running security consultancy Shostack + Associates. He is the author of The New School of Information Security, Threat Modeling: Designing for Security and the forthcoming Threats: What Every Engineer Should Learn From Star Wars. Adam's YouTube channel has entertaining videos that are also excellent resources for learning about threat modeling.

The topic of today is threat modeling, a practice of identifying and prioritizing potential threats and security mitigations. Our guests are Anne Oikarinen from Nixu, and Nicolaj Græsholt from Eficode. Be sure to check out their profiles on Twitter and LinkedIn: - https://twitter.com/Anne_Oikarinen - https://www.linkedin.com/in/anne-oikarinen - https://twitter.com/figaw - https://www.linkedin.com/in/nicolajgraesholt Related links: Webinar with Bankdata: Compliance and security in the DevOps world https://hubs.li/H0NlrYx0 Books to read: Threat Modeling: Designing for Security, by Adam Shostack, Wiley: https://threatmodelingbook.com/ Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/ Evil user stories: https://www.nixu.com/fi/node/1639 Cyber Bogies card deck: https://github.com/nixu-corp/NixuCyberBogies Explanatory blog for the cards: https://www.nixu.com/fi/blog/gamify-your-threat-modeling-nixu-cyber-bogies Blogs: 1. Mitigate against tampering attacks - Secure your software delivery chain: https://hubs.li/H0NlsPR0 2. Privacy by design: where security meets usability: https://hubs.li/H0NlsTN0

We have three very special guests today. All come from different backgrounds but share a common interest in gaming - the kind that can be used to teach you things, like how to become better at handling security incidents or winning a historical insurrection. This podcast is sponsored by the We Hack Purple Academy.Volko Ruhnke is a renowned wargame designer and educator. He retired as a career analyst with the CIA and as an instructor for the Sherman Kent School for Intelligence Analysis which is responsible for training people in the intelligence community. While working there he became an acclaimed designer of commercial board games - best known for the COIN Series published by GMT Games. Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. Hadas Cassorla is a security leader in the Portland area. She is the manager of security engineering and platform engineering at Simple Finance in Portland. She also does work with Hackback Gaming as an Incident Master (IM) running teams through dynamic role playing in tabletop incident response scenarios. Hadas is a recovering attorney too who took up improv after finishing law school. Volko Ruhnke, Adam Shostack and Hadas Cassorla are interviewed by David Quisenberry and John L. WhitemanLinks from the Show:Zenobia Award (Board Game Design Contest for Underrepresented Groups)HackBack GamingAdam Shostack's Home PageElevation of PrivilegePhilip Sabin - Simulating War: Studying Conflict through Simulation GamesJeremy Holcomb - The White BoxFollow us:HomepageTwitterMeetupLinkedInYouTube- Become an OWASP member- Donate to our Support the show (https://owasp.org/supporters/)

In this episode, Francesco and Adam Shostack discuss application security and threat modelling. Adam is the author of Threat Modeling: Designing for Security. He helped create CVE (Common Vulnerabilities and Exposure) and is on the review board for Black Hat. He encourages coders and computer engineers to work smarter, not harder. The podcast is brought to you by the generosity of NSC42 Ltd, your cybersecurity partner. Cybersecurity is a complex and different for every organization, and you need the best-tailored service to make sure your customer's data is safe and sound so that you can focus on what's important, focusing on your clients and bringing the best and safest experience.    1:00 Introducing Adam Shostack 6:00 CVE (Common Vulnerabilities and Exposure) 9:46 Finding satisfaction in a job in security 15:00 Frameworks and static analysis 21:22 Threat Modeling 24:50 Work smarter, not harder 29:12 Documentation in DevOps 34:08 4 questions in Threat Modeling 41:32 Positive Message Links Adam Shostack https://adam.shostack.org Twitter @adamshostack https://threatmodelingbook.com https://www.blackhat.com Cyber Security and Cloud Podcast #CSCP http://cybercloudpodcast.com #cybermentoringmonday

Threat modeling is a key to securing businesses, governments and individuals in a hacker-happy world. Its principles can be applied to disaster risk reduction (DRR), climate change adaptation (CCA) & other fields. Listen to Cybersecurity expert Adam Shostack in "Cybersecurity, Threat Modeling & in an Up & Down World" (Multi-Hazards Podcast S02 E19). Check out the Study Guide, click on the top left "PDF": https://multi-hazards.libsyn.com/cybersecurity-threat-modeling-in-an-up-down-world-conversation-with-adam-shostack Adam Shostack Bio Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the Common Vulnerabilities and Exposures (CVE) system and many other things. He currently helps many organisations improve their security via Shostack & Associates, and advises startups including as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the Security Development Lifecycle (SDL) Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. If you'd like help threat modeling, or engineering more secure systems in general, take a look at his consulting pages at https://adam.shostack.org.

Adam Shostack of Shostack & Associates and author of Threat Modeling: Designing for Security discussed different approaches to threat modeling, the multiple benefits it can provide, and how it can be added to an organization’s existing software proc

Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped create the CVE and many other things.He currently helps many organizations improve their security via Shostack & Associates, and advises startups, including as a Mach37 Star Mentor.While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.Adam is interviewed by David Quisenberry, Ben Pirkl and John L. WhitemanSupport the show (https://www.owasp.org/index.php/Membership#tab=Other_ways_to_Support_OWASP)

What am I working on? What can go wrong? What am I going to do about it? Did I do a good job? These are the four questions at the heart of threat modeling In this episode, I speak with Adam Shostack, author of Threat Modeling: Designing for Security. We talk through how to begin threat modeling and the expectations of using modeling. Adam walks through the history of threat modeling, including his creation of the Elevation of Privilege game.

Adam Shostack is the author of the book titled Threat Modeling: Designing for Security (Wiley, 2014). He also is a co-author of The New School of Information Security (Addison-Wesley, 2008). Adam is a veteran in the cyber security industry having spent over eight years with Microsoft where he focused on threat model tools and techniques. In this episode Ron and Adam discuss the ROI of threat modeling as well as address the fear security practitioners sometimes have with the agile development process. Adam leaves us with his top three items business leaders must know! Don't miss it. Reach Adam on Twitter:@adamshostack Threat Modeling Book:https://threatmodelingbook.com

My guest today is Adam Shostack. Adam is a consultant, entrepreneur, technologist, game designer, and author of the book Threat Modelling: Designing for Security. I invited Adam to talk security and discuss a concept he designed that is called threat modelling. I love thee simplicity of the concept and appreciate the fact that Adam understands the complexity of security and was able to distill it into an actionable security program. Our conversation is versatile, covering technical areas and goes up to the board level. If you have an interest in making security simple, and if your instinct tells you that defense is the new offence, you will enjoy listening to this podcast episode. Major Take-Aways From This Episode: What is Threat Modelling and why CIOs need to do it? The definition of STRIDE Concept. What are the common traps associated with STRIDE? How does Threat Modelling differ from the similar government-style programs? What questions you need to ask when you threat model? Why is it important for CIOs to threat model and how does it help with communication at the board level? About Adam Shostack Adam is a consultant, entrepreneur, technologist, author and game designer. He's a member of the BlackHat Review Board, and helped found the CVE and many other things. He's currently helping a variety of organizations improve their security, and advising startups as a Mach37 Star Mentor. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security. Read full transcript here. How to get in touch with Adam Shostack LinkedIn Twitter Key Resources: More information about Adam Shostack can be found at his website: https://adam.shostack.org/ Threat Modelling: Designing for Security, Adam Shostack Checklist Manifesto, Atul Gawande Leave a Review If you enjoyed this episode, then please consider leaving an iTunes review here Click here for instructions on how to leave an iTunes review if you're doing this for the first time. Credits: * Outro music provided by Ben’s Sound Other Ways To Listen to the Podcast iTunes | Libsyn | Soundcloud | RSS | LinkedIn   About Bill Murphy Bill Murphy is a world renowned IT Security Expert dedicated to your success as an IT business leader. Follow Bill on LinkedIn and Twitter.