#148 - Threat Modeling (with Adam Shostack)

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask: What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job? Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/ Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/ Transcripts: https://docs.google.com/document/d/1Tu0Xj9QTbVqbVJNMbNRam-FEUvfda3ZS Chapters 00:00 Introduction 06:02 The 4 Questions that allow you to measure twice cut once 09:29 How Data Flow Diagrams help teams 16:04 It's more than just looking at threats 19:23 Chasing the most fluid thing or the most worrisome thing 22:00 All models are wrong and some are useful 26:25 Actionable Remediation 31:05 LLMs and Threat Models

Om Podcasten

Welcome to CISO Tradecraft®. A podcast designed to take you through the adventure of becoming a CISO. This podcast was started because G Mark Hardy and Ross Young felt impressed to help others take their Information Security Skills to an executive level. We are thrilled to be your guides to lead you through the various domains of becoming a competent and effective CISO.