Session Video
About this session
Everyone agrees that Threat Modeling should be part of every software development lifecycle. Microsoft’s SDLC, OWASP SAMM, BSIMM, and more recently NIST, have threat modeling as a foundation stone in the SDLC which will help in finding vulnerabilities and preventing their exploitation by taking the perspective of an attacker. “Think like an attacker” is easier said than done. Practitioners come to Cybersecurity from different backgrounds: development, system or network administration, compliance, pentesting, and many others. Not everyone can think like an attacker. STRIDE is nice, deceitfully easy, incredibly noisy when applied by brute force, and sometimes just hard to apply when starting. Maybe we need to hack threat modeling to make it work for everyone, regardless of what their backgrounds are by offering lighted pathways that can help everyone achieve similar results.