Let’s take stock of the situation

January 23, 2020 — Leave a comment

A lot of time has passed since my last article has been published here, and a lot of things have happened since. Crypto-mining has raised and fall, new shiny tools have been released and the world has evolved to an even darker and nastier self. In the while, yours truly has not stopped working with customers, partners and colleagues in Microsoft to improve our security posture and fend off the attacks we have to face every day.

Dear reader, with this article I am starting a new series to introduce you to the lessons I have learned the hard way, with the intent of sparing you some of the effort.

Security is my passion and prevention is my mission, so in the last 5 years or so my work has mostly gravitated around Threat Modeling. The notes you read are exactly about this topic and introduce you to the latest experiences and considerations around the art.

What I’ve learned in that while doing Threat Models is that they are intended to be consumed by a lot of people and that each one has different needs, therefore it would be wrong to force a single view to everyone.

Threat Models are relatively easy to do, but doing high-quality Threat Models is hard and is a skill that can be learned. I’ve seen a lot of bad Threat Models done for various reasons, and I haven’t been exempt from my own mistakes.

I’ve understood that a Threat Model to be effective needs to be actionable and that this means to expose the Threat Model for consumption by the Team, making it an integral part of the development process and a key part of other processes performed by the organization, starting from Risk Management.

All those learnings and a lot of others have lead to the definition of a new way of doing Threat Models, which is more modern, flexible and integrated. This new approach represents an evolution of Threat Modeling, not a revolution, and we call it Threat Modeling vNext.

So, welcome to the new era of Threat Modeling and enjoy this new series of posts on your favorite security practice!

No Comments

Be the first to start the conversation!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.