Enterprise Security Weekly Subscribe

Breach, Security Operations, Threat Management

Threat Modeling and Understanding Inherent Threats – Adam Shostack – ESW #359

April 25, 2024

This is a great interview with Adam Shostack on all things threat modeling. He's often the first name that pops into people's heads when threat modeling comes up, and has created or been involved with much of the foundational material around the subject. Adam recently released a whitepaper that focuses on and defines inherent threats.

Resources:

Here's the Inherent Threats Whitepaper
Adam's book, Threat Modeling: Designing for Security
Adam's latest book, Threats: What Every Engineer Should Learn from Star Wars
We mention the Okta Breach - here's my writeup on it
We mention the CSRB report on the Microsoft/Storm breach, here's Adam's blog post on it
And finally, Adam mentions the British Library incident report, which is here, and Adam's blog post is here

Full episode and show notes

Announcements

Security Weekly listeners save $100 on their RSA Conference 2024 Full Conference Pass! RSA Conference will take place May 6 to May 9 in San Francisco and on demand. To register using our discount code, please visit securityweekly.com/rsac24 and use the code 54USECWEEKLY! We hope to see you there!

Guest

Adam Shostack

President at Shostack + Associates

Adam is the author of Threat Modeling: Designing for Security and Threats: What Every Engineer Should Learn from Star Wars. He’s a leading expert on threat modeling, a consultant, expert witness, and game designer. He has decades of experience delivering security. His experience ranges across the business world from founding startups to nearly a decade at Microsoft.

His accomplishments include:
– Helped create the CVE. Now an Emeritus member of the Advisory Board.
– Fixed Autorun for hundreds of millions of systems
– Led the design and delivery of the Microsoft SDL Threat Modeling Tool (v3)
– Created the Elevation of Privilege threat modeling game
– Co-authored The New School of Information Security

Beyond consulting and training, Shostack serves as a member of the Blackhat Review Board, an advisor to a variety of companies and academic institutions, and an Affiliate Professor at the Paul G. Allen School of Computer Science and Engineering at the University of Washington.

Host

Adrian Sanabria

Principal Researcher at The Defenders Initiative

https://adriansanabria.com

Related

Vulnerability Management

Weird Al, Docker, OT, Gitlab, Credit Monitoring, Dropbox, Cisco, AI, Aaran Leyland… – SWN #383

May 3, 2024

Weird Al, Docker, OT, Gitlab, Credit Monitoring, Dropbox, Cisco, AI, Aaran Leyland, and More, on this edition of the Security Weekly News.

Incident Response

Preparation: The Less Shiny Side of Incident Response – Joe Gross – ESW #360

May 2, 2024

It's the most boring part of incident response. Skip it at your peril, however. In this interview, we'll talk to Joe Gross about why preparing for incident response is so important. There's SO MUCH to do, we'll spend some time breaking down the different tasks you need to complete long before an incident occurs. Resources 5 Best Practices for Bu...

RSA Conference, Verizon DBIR, funding, reports, partnerships and more – ESW #360

May 2, 2024

It's the week before RSA and the news is PACKED. Everyone is trying to get their RSA announcements out all at once. We've got announcements about funding, acquisitions, partnerships, new companies, new products, new features... To make things MORE challenging, everyone is also putting out their big annual reports, like Verizon's DBIR and Mandiant'...