AMA: Where can we learn Threat Modelling?

In a recent ‘Ask Me Anything’ Tanya covers ‘Where can we learn Threat Modelling?’. The linked video is approximately 2 minutes.

Where can we learn Threat Modelling?

• Threat modelling, for those who are unaware, is a sort of ‘evil brainstorming’.
• The question included “How can we learn by doing, not just reading?” Play the game “Escalation of Privilege”, create by Adam Shostack
• You can actually play online, for free! It just came online last week. Play online here.
• She also mentions that you should play Backdoors and Breaches, however, that is an incident response card game. You should still play it, but it won’t teach you threat modelling. :-D
• Every time there is a new project at work, meet with them for one hour and just try to threat model. It’s okay if it’s not perfect, if you identify just one risk you had not thought of, your sessions was productive.
• Every time someone else at work is doing a threat model, sit in and “job shadow” them. Learning by watching and participating is a fantastic way to get in the middle of things.
• Non-hands-on activities: 1) watch the many videos on this topic by several experts in the area, Adam Shostack, Avi Douglen, Tony UcedaVelez, Caroline Moeckel, Tash Norris, the list goes on and on.
• Whiteboard designs with people and then ‘put on your black hat’ and take a look.
• Ask the tech team (developers, architects, ops peeps), ‘If you were going to hack your app, how would you do it?” The answers may terrify you, but you’ll be happy you asked.
• Read Tanya Janca’s numerous articles on the topic: Hacking Robots and Eating Sushi, Threat Modelling Serverless, and Threat Modelling.
• Then we get a bit off topic and start talking about Azure DevOps and GitHub Actions…

For this and more, check out my book, Alice and Bob Learn Application Security and my online training academy, We Hack Purple!

PS The Video Quality is low in this video and has been improved in future recordings.