AMA: Where can we learn Threat Modelling?
May 14, 2020
In a recent 'Ask Me Anything' Tanya covers 'Where can we learn Threat Modelling?'. This video is approximately 2 minutes.

  • Threat modelling, for those who are unaware, is a sort of 'evil brainstorming'. 
  • The question included "How can we learn by doing, not just reading?"
  • Play the game "Elevation of Privilege", create by Adam Shostack 
  • You can actually play online, for free! It just came online last week. Play online here.
  • She also mentions that you should play Backdoors and Breaches, however, that is an incident response card game. You should still play it, but it won't teach you threat modelling. :-D
  • Every time there is a new project at work, meet with them for one hour and just *try* to threat model. It's okay if it's not perfect, if you identify just one risk you had not thought of, your sessions was productive.
  • Every time someone else at work is doing a threat model, sit in and "job shadow" them. Learning by watching and participating is a fantastic way to get in the middle of things.
  • Non-hands-on activities: 1) watch the many videos on this topic by several experts in the area, Adam Shostack, Avi Douglas, Tony UcedaVelez, Caroline Moeckel, Tash Norris, Geoff Hill, Jonathan Marcil, Irene Michlin, the list goes on and on.
  • Whiteboard designs with people and then 'put on your black hat' and take a look. 
  • Ask the tech team (developers, architects, ops peeps), 'If you were going to hack your app, how would you do it?" The answers may terrify you, but you'll be happy you asked.
  • Read Tanya Janca's numerous articles on the topic: Hacking Robots and Eating Sushi, Threat Modelling Serverless, and Threat Modelling
  • Then we get a bit off topic and start talking about Azure DevOps and GitHub Actions...  

If you are not a member and you are reading this, please consider becoming a member, it's only $7/month for a constant flow of AppSec content! Also, if you want application security training, we've got you! Check out our very first course, Application Security 101, for only $99! 

PS The Video Quality is low in this video and has been improved in future recordings.

Write a comment...
Maura van der Linden

I'll message you :)

Maura van der Linden

I teach threat modeling at my company (and did a bunch at Microsoft prior to this). I have a powerpoint threat modeling exercise (threat model a vending machine) I'd be willing to revamp from the branded version and make available if you are interested (or the community is).


I would defiitley be up to! How can I help?

ALL New Blogs, Videos, Articles and more! (does not include courses)

$7 / month
$70 / year (save 17%)
Includes access to 4 products:
Get access