DEV Community

Tanya Janca
Tanya Janca

Posted on • Edited on

3 2

AMA: Where can we learn Threat Modelling?

In a recent ‘Ask Me Anything’ Tanya covers ‘Where can we learn Threat Modelling?’. The linked video is approximately 2 minutes.

Where can we learn Threat Modelling?

  • Threat modelling, for those who are unaware, is a sort of ‘evil brainstorming’.
  • The question included “How can we learn by doing, not just reading?” Play the game “Escalation of Privilege”, create by Adam Shostack
  • You can actually play online, for free! It just came online last week. Play online here.
  • She also mentions that you should play Backdoors and Breaches, however, that is an incident response card game. You should still play it, but it won’t teach you threat modelling. :-D
  • Every time there is a new project at work, meet with them for one hour and just try to threat model. It’s okay if it’s not perfect, if you identify just one risk you had not thought of, your sessions was productive.
  • Every time someone else at work is doing a threat model, sit in and “job shadow” them. Learning by watching and participating is a fantastic way to get in the middle of things.
  • Non-hands-on activities: 1) watch the many videos on this topic by several experts in the area, Adam Shostack, Avi Douglen, Tony UcedaVelez, Caroline Moeckel, Tash Norris, the list goes on and on.
  • Whiteboard designs with people and then ‘put on your black hat’ and take a look.
  • Ask the tech team (developers, architects, ops peeps), ‘If you were going to hack your app, how would you do it?” The answers may terrify you, but you’ll be happy you asked.
  • Read Tanya Janca’s numerous articles on the topic: Hacking Robots and Eating Sushi, Threat Modelling Serverless, and Threat Modelling.
  • Then we get a bit off topic and start talking about Azure DevOps and GitHub Actions…

For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

PS The Video Quality is low in this video and has been improved in future recordings.

Image of Timescale

🚀 pgai Vectorizer: SQLAlchemy and LiteLLM Make Vector Search Simple

We built pgai Vectorizer to simplify embedding management for AI applications—without needing a separate database or complex infrastructure. Since launch, developers have created over 3,000 vectorizers on Timescale Cloud, with many more self-hosted.

Read more

Top comments (1)

Collapse
 
v6 profile image
🦄N B🛡 • Edited

Well this covers threat modeling, which is often a difficult thing to measure.

But what about security modeling in general?

I just bought Backdoors and Breaches. Lucky that I already have a 20-sided die, unlucky though the damn thing keeps turning out to be. Many puns will be made. Many, many puns.

Billboard image

The Next Generation Developer Platform

Coherence is the first Platform-as-a-Service you can control. Unlike "black-box" platforms that are opinionated about the infra you can deploy, Coherence is powered by CNC, the open-source IaC framework, which offers limitless customization.

Learn more