In a recent 'Ask Me Anything' Tanya covers 'Where can we learn Threat Modelling?'. This video is approximately 2 minutes.
- Threat modelling, for those who are unaware, is a sort of 'evil brainstorming'.
- The question included "How can we learn by doing, not just reading?"
- Play the game "Elevation of Privilege", create by Adam Shostack
- You can actually play online, for free! It just came online last week. Play online here.
- She also mentions that you should play Backdoors and Breaches, however, that is an incident response card game. You should still play it, but it won't teach you threat modelling. :-D
- Every time there is a new project at work, meet with them for one hour and just *try* to threat model. It's okay if it's not perfect, if you identify just one risk you had not thought of, your sessions was productive.
- Every time someone else at work is doing a threat model, sit in and "job shadow" them. Learning by watching and participating is a fantastic way to get in the middle of things.
- Non-hands-on activities: 1) watch the many videos on this topic by several experts in the area, Adam Shostack, Avi Douglas, Tony UcedaVelez, Caroline Moeckel, Tash Norris, Geoff Hill, Jonathan Marcil, Irene Michlin, the list goes on and on.
- Whiteboard designs with people and then 'put on your black hat' and take a look.
- Ask the tech team (developers, architects, ops peeps), 'If you were going to hack your app, how would you do it?" The answers may terrify you, but you'll be happy you asked.
- Read Tanya Janca's numerous articles on the topic: Hacking Robots and Eating Sushi, Threat Modelling Serverless, and Threat Modelling.
- Then we get a bit off topic and start talking about Azure DevOps and GitHub Actions...
If you are not a member and you are reading this, please consider becoming a member
, it's only $7/month for a constant flow of AppSec content! Also, if you want application security training, we've got you! Check out our very first course, Application Security 101
, for only $99!
PS The Video Quality is low in this video and has been improved in future recordings.