The Security Table

Threat Modeling Conference

Chris Romeo Season 1 Episode 29

The Security Table gathers to discuss the upcoming ThreatModCon 2023 (https://www.threatmodelingconnect.com), the inaugural and only conference dedicated entirely to threat modeling.

ThreatModCon 2023 

Sunday, October 29, 2023

Marriott Marquis Washington, DC

The Threat Modeling Conference will cover various aspects of threat modeling, from AI integration to privacy concerns, from a brief history of threat modeling to hands-on workshops. The sessions will emphasize learning, interaction, and applying knowledge in real-world scenarios. 

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-

From threatmodelingconnect.com:

Join us for the inaugural Threat Modeling Conference — the first annual meetup of our community — on October 29th to learn, share, and discuss how to make threat modeling approachable to everyone.

Come away with the latest trends, tools, and strategies in threat modeling, helping you stay ahead of the curve as you navigate the constantly-changing cybersecurity landscape

Meet the Speakers
Welcome / Closing: Chris Romeo
Keynote: Matthew Coles, Seba Deleersnyder, Robert Hurlbut, Tanya Janka, Brook Schoenfield, John Taylor
Workshop Leaders: Robert Hurlbut, Jonathan (Jono) Sosulska
Speakers: Michael Bernhardt, James Berthoty, Lisa Cook, Avi Douglen, Tyson Garrett, Geoff Hill, Wael Ghandour, Brenna Leath, Dr. Michael Loadenthal, Edouard Stoka, Dr. Kim Wuyts

I’m new to threat modeling, Is this conference for me?
At the heart of this inaugural threat modeling conference is our belief that “threat modeling is for everyone.” Whether you’ve heard about threat modeling for the first time or have been on this journey for decades, we believe you’ll benefit from the insightful talks, dynamic workshops, and plenty of hallway conversations. You’ll come away with the knowledge, skills, and connections needed to take your security career to new heights.

~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-~-


Listen in to hear what excites Chris, Matt, and Izar about ThreatModCon, and sign up to attend yourself!


Threat Modeling is for Everyone!


https://www.threatmodelingconnect.com/

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris Romeo:

All right, here go. Hey

Matt Coles:

words. First word.

Chris Romeo:

we're playing the security table charades today. And so, uh, welcome to the security table. My name is Chris Romeo, joined by Matt Coles, Izar Tarandach. And we were spending the last 10 to 15 minutes really focused on Izar's OpSec. of his little picture frame that thing is called behind him that he has covered in baking paper so as not to have a reflection so you cannot see what's on his screen and so operational security it's important it's for you course can see your password on that sticky note behind your head which i think is

Izar Tarandach:

So tell me, cause I forgot it.

Chris Romeo:

Is that the password for your Wi Fi or just your bank account that I'm looking at there?

Izar Tarandach:

That one, office?

Chris Romeo:

Yeah, there it is! I hope that you didn't make that your password, that'd be pretty funny though. Alright, we are here for some amount of seriousness now. We're here to talk about Threat Modeling Con. So, uh, for folks that don't know, We're doing the first ever threat modeling conference that's, that I'm aware of that's ever happened in our industry. Um, I, I have the, uh, was asked to be the global chair of the event, and so I've been super excited to help behind the scenes, knit this whole thing together. Matt Izar were part of the program committee as well as doing a bunch of other things. So, but primarily helping to wade through all the incredible. Submissions we had about various facets of threat modeling. And so before we dive in and talk in more depth, just in case you're curious. Now, the event's happening October 29th in Washington, DC. This is a Sunday. This is the day before OWASP Global happens in Washington, DC, 30th and 31st, uh, which is a Monday and Tuesday, the 29th. The Sunday right before the OWASP conference is when we're doing Threat Modeling Conference. It's in person. It is at the Marriott Marquis, the same place the OWASP event is, is happening. So those are the details. Um, you can, if you, you can literally just search for Threat Modeling Conference. We'll put some references in the show notes if you want to click on a link to get to the registration page to see all the other things that we're talking about here. But we thought we would spend a few minutes. talking through the agenda for this event and really highlighting some of the things we're excited about because we are excited about a lot of different things that are happening here. So, um, just to kind of set the stage for people, like what, from your guys perspective, like what's the, what's the benefit and value? of us having a threat modeling conference. Like, why are we even bothering to do this?

Izar Tarandach:

Why? So,

Matt Coles:

Have you started that already?

Izar Tarandach:

yeah, no, I, I think that the first one is that apart from other OWASP events. and perhaps an RSA Conf here and there. It's going to be the first time that you are going to have a lot of people, actually most of the Threat Modeling Manifesto team together under one roof at the same time. So I see a lot of value in that, not only as a member of the group, but to people who would like to come and talk about the Manifesto and what took us there and stuff like that. Uh, to be sure, it's not the same team that's doing both things, it's a distinct team with some overlap between the Threat Modeling Manifesto Group and the ThreatModCon, and that was by design, but uh, I'm very excited, first, about having all of us close in the same place talking about the thing that we like so much. And the thing that got me the most excited, especially when being part of the program committee, was that all of a sudden we don't have to worry about talking too much about threat modeling. We had this great opportunity of saying, yes, we have a full agenda of threat modeling, and we don't have to, for clarification, Matt and I, and Chris, we participate in other events, uh, program committees, and it's always that battle between, I don't think that there's enough threat modeling being, being addressed to, yeah, we have to talk about other stuff as well. So it was really, really gratifying to once in my life, not have to worry about that. And we're going to get more into that, but, uh, the, the, uh, different approaches that we got in the, the submissions and seriously, thank you people out there, we got some really, really, really great submissions at times. It was, it was hard to make up our minds or, or to, to decide what to put in there. And that's a whole different episode. We could talk about selections for events for a whole hour. But I think that we got some great ones and we built a program that I'm really excited to be able to deliver out there.

Matt Coles:

Yeah, I definitely, I think we should, we should definitely, I'll, I'll just reiterate that thank you to everyone in the community who submitted, um, submitted, uh, you know, presentations and, and workshops for this. Um, so we are, we're doing presentations, we're doing workshops, we have a Birds of the Feather, uh, uh, that will be, will be happening in Birds of the Feather within the threat modeling, uh, space. So, you know, if you're interested in certain topics of threat, subtopics of threat modeling, uh, we have a, Not a keynote, keynote, uh, where we'll be talking, I think, really interesting and important for, for folks to get, even if they're experienced or if they're new, to learn the history of threat modeling and, and from some, some pretty interesting folks who will talk about their, their own experiences and deliver this. It's a very personal thing. And we should, we should mention, you know, the, the theme of this, of the conference this year. The first ever is threat modeling is for everyone, right? So this is all about. Um, you know, the, and you see it, and I think we reinforce this with the talks that are going to be given, and even the workshops themselves. This is not some academic, these are not academic presentations. These are, these are talks about how real people took real challenges and solved them with, with real methods of threat modeling, uh, and, and taking it from the ground up, right? Literally, how to conduct, how to, how to conduct, uh, you know, uh, discussions around threat modeling. How to, uh, build threat models. How to deal with problems during the process. Dealing with the, with the results, and then the, some various techniques to apply it. And I think we'll, we'll talk about those in a little bit more detail. But, um, but this is going to be a, definitely an exciting, um, conference for those. Again, for folks who are new, you're going to learn a ton of stuff and then things that you can apply pretty much immediately as soon as you get back to your day to day lives. Uh, and for, even for experienced practitioners, this has something for them.

Chris Romeo:

Let's, let me, uh, just kind of set the stage for this keynote because I know Matt, you're, you're kind of the, the person who kind of knitted this whole thing together for us. So let me, um, let me just introduce it. And talk about some of the people that are part of it, that you've gathered together here, and then we can see kind of, then you can give it, you can kind of explain maybe a little bit more depth what people are going to experience here, um, and so the keynote is, is a

Matt Coles:

Izar with his clicky keyboard over there,

Chris Romeo:

Yeah, he's our, he's, he's, uh, you know,

Matt Coles:

Bang, bang,

Chris Romeo:

yeah, he's, uh, we're, we're working on the, uh, the mute button. Um, so the keynote though, it's, you're using the, the theme of the conference, Threat Modeling is for Everyone. Let me just highlight the people that are going to be a part of this, because this is really incredible. We've got Brook Schoenfield, someone who we all love, and we think of as the, you know, one of our, I mean, he calls himself the elder statesman of AppSec. So, um, that's his title. I didn't, I didn't assign it to him, but he is right. He's somebody who's been around our, our industry for a long time has built threat modeling programs and done everything in the threat modeling sphere. Um, you've got Seba Deleersnyder, who very, very, uh, prominent threat modeling consultant and trainer and teacher. Uh, as well as very prominent OWASP, uh, contributor as well. Um, we've got Tanya, Tanya Janka, who's, uh, has done a, has has done a lot of, of talking about threat modeling and talks about a lot of other things in the world of AppSec, and, uh, I think has a very. unique perspective as far as how she comes at these things. Kind of different than, um, than a lot of the ways that I think others of us think about it. You've got Robert Hurlbut, who's a good friend of mine co host on the AppSec podcast. Um, he's done threat modeling in the corporate environment, in the government environment, in the, uh, You know, individual kind of startup environment, like he's done threat modeling everywhere. And then John Taylor as well, someone with a, with a huge amount of experience and knowledge. And then I forgot the most important, not the most important one, but the guy who knitted it all together. Matt Coles is, is going to be part of this conversation as well. So, um, so Matt, you kind of came up with the idea and it's, I don't want to call it, it's not the un. Keynote, keynote.

Matt Coles:

It was not a keynote keynote. I mean, I forget

Chris Romeo:

but it, but it's something, it's different than what people are, have maybe experienced before. So give us some perspective about how you're gonna, you're gonna knit the, this group of, of experts, threat modeling people that know so much. How knit this together into a... a single, uh, keynote.

Matt Coles:

Uh, with luck, we'll do it successfully. Uh, so, um, because obviously this is, so this is not a panel. Uh, this is more of a set of vignettes along a path or a continuum of Threat Molling. Starting with the history of Threat Modeling, where we, where we began in the industry. I mean, obviously we can't go way, way back. So it'll be, there'll be a point in time when, when threat modeling really started. And I, and I, I know this is going to get exciting because we're, you know, Brook, our elder statesman is going to, to kick us off, uh, in, in that process. And then as we progress through time, we're going to touch upon, uh, different aspects of threat modeling from, from the perspective of, of, uh, the individual who's presenting. So, uh, you know, we'll, we'll get the insight from, from Seba and Tanya, uh, Robert and John, um, following Brook, uh, in, in the aspects that they want to cover with respect to, you know, maybe a challenge that they, that they ran into and overcame in, when doing threat modeling, um, or, or an evolution that they, uh, that either that they took advantage of, uh, in how threat modeling is done or something that they actually innovated on. And, and so we'll, we'll look from the, the very beginnings when, you know, primarily it was, you know, governments and security people doing this to today where now it's again, for everyone, right? For developers and others who are interested in threat modeling, this is no longer an ivory tower discussion. So, uh, if we're successful, um, and I'll be moderating this, uh, this, not a panel, not a keynote, keynote, introduction history to threat modeling, um, uh, where, uh, so hopefully we'll keep everyone on time and on track and, uh, and it'll be an exciting, uh, exciting Set of vignettes. Uh, uh, it should be very interesting.

Chris Romeo:

Yeah, I'm, I'm, I'm very excited for how this is going to all come together. So after we finish the keynote, then we're going to split into two different tracks. So we're going to have some different opportunities, um, things for people to talk about. I mean, in that first segment, we've got Avi Douglen, who's a very well known name in the world of threat modeling, another, uh, Another author of the manifesto with us, um, talking about the threats to our community. And at the same time, you've got Tyson Garrett, shifting threat models from static to dynamic. I mean, the challenge I'm having with this agenda is, ha ha ha why'd you give me so many different things?

Izar Tarandach:

The challenge here is going to be like running from one room to the other.

Chris Romeo:

Yep

Izar Tarandach:

It's one of those cases where I really want to divide myself and like split. because there is just going to be so much interesting stuff going on. I mean, Avi is looking at the threats of our community from a position of, okay, it's good to threat model systems and all that, but what else can we do with this? Can we apply it to a higher level? And then Tyson is coming with, okay, how do you take this threat model thing here and that's a static, it's a document and stuff and make it respond to a landscape that's always changing.

Matt Coles:

So,

Izar Tarandach:

it's gonna be so hard.

Matt Coles:

Something else to keep in mind is we're getting, we'll be getting close to Halloween on, on this, uh, on this journey And, uh, we know that Avi is, is, is famous, or infamous. for, uh, wearing costumes to presentations. So we'll have to see what, we'll have to see when it comes in.

Chris Romeo:

what comes up with and shows us. So, yeah, so that's, I mean, that's our first segment between the two different rooms. And then, same problem that I'm going to say over and over again. Like, the next segment after that, you've got Kim Wuyts, another friend of ours, Shifting Privacy In. And you've got Edouard Stoka, Classic Brainstorming Threat Modeling vs. Threat Modeling Tools. So you've got privacy on one side, and you've got kind of manual, manual threat modeling versus, versus using tooling to generate this. It's, once again, it's just another, another challenge as far as which room you go to. And, you know, you just run, literally run back and forth and hear a word in one. I don't know how fast you are. I'm probably not that fast

Matt Coles:

If we, if we were smart, we would have gotten the ballroom that has the dividers. We could open the dividers and you could be like sort of between both rooms

Izar Tarandach:

Sitting in the middle And, just looking both sides.

Chris Romeo:

Maybe we should have done a one, one track conference. then we would have been able to just sit in there the whole time. But, but the problem is we had so many awesome speakers and so many awesome submissions that came in that it was so tough to say, well this is the line. Like we're only going to be able to choose a

Izar Tarandach:

wait, wait, wait.

Chris Romeo:

to

Izar Tarandach:

I think that the original plan was to have a one

Chris Romeo:

was, it

Matt Coles:

Yeah, It would have been, four

Izar Tarandach:

were just so good. It's

Matt Coles:

Yeah,

Chris Romeo:

And so, such

Matt Coles:

It would have been, it would have been four presentations and two workshops and It wouldn't have been as robust and exciting and I think we were getting some, we're getting, I mean, obviously we're getting a lot of really good presenters who we've known, many who we've known throughout, you know, throughout our time and so many great topics, again, covering the gamut from, from beginner on up and, and whether you're doing whiteboards or you're doing automation or you're doing whatever, um, you know, it's, it's something for everybody.

Chris Romeo:

And then in the next hour after that, one of the ones that I've got my eye is the Operational-Intersectional Threat Modeling, Dr. Michael Loadenthal. So, um, I don't remember how I got connected to Dr. Loadenthal, but I did an episode with him of the Threat Modeling Podcast, and he just takes threat modeling to a different place than I've ever gone with it before. Like, he's used threat modeling to, uh, to assist members of Congress in the United States to profile their digital lives. And it's, I know intellectually, like, threat modeling, of course, you can threat model anything. I say that all the time. But he's somebody who's done it. He's taken threat modeling to other places, and I'm just fascinated to see, how did you apply this? How did you make this work in something that's not just a web application with a database and a React front end attached to it?

Izar Tarandach:

It's the power of asking what could go wrong, right?

Matt Coles:

Right, and then, and then opposite that is how to effectively do triage of threat models, right? So this isn't, this is how do you do, on one hand, doing, how do you do threat modeling in a particular environment and, and for, uh, some, some. you know, and adapting to new techniques. And then how do you make it effective when you're doing it? And so it's really hard to choose. It's going to be really hard to choose. I mean, do you want to look for innovation or, or do you want to help for work on facilitation? And so, um, you know, hopefully folks will take good notes and we can share.

Izar Tarandach:

Yeah.

Chris Romeo:

And then we make our way to lunch. And the thing that we're excited about for lunch is that's when we're going to do our birds of a feather. And so, we'll have the lunch environment set up where people can, there'll be cards on each table of different topics, and people can join different conversations, different tables to have a conversation about a particular facet of threat modeling. I know those are still developing right now. So we don't even have a finished list at this point. We're iterating on that, trying to get the best possible list, but that's, it's going to be birds of a feather focused on threat modeling. Like normally I go to birds of a feather at conferences and maybe there's one table out of 50 talking about threat modeling, but here's going to be in an environment where everybody's talking about threat modeling.

Izar Tarandach:

So confession time. I've never done a Birds of a Feather.

Chris Romeo:

Really?

Matt Coles:

Wow, that's what, actually, it's, for, for the limited number of conferences that I've gone to over the years, Birds of the Feather, I think, is one of the best parts of, because you get, you get people together who, who want to share similar ideas, and, and there's, you can get really in depth discussions about a particular topic. Share ideas, debate, argue about different ideas, but you know, you're, you're, it's, it's a bounded conversation. It's not like, oh, I have this topic and I have this topic, and you're all over the place. It's, it's much more focused. I think it lends itself well to great conversations, good networking. Right? Especially if, you know, if the birds of a feather work out where if we, for instance, we're going to talk about, you know, threat modeling as code, as a topic, right? It'd be great to have conversations with people who, who use the various tools that are now out there, right? Or threat modeling with AI. Uh, or, or even, you know, business aspects of how, how to build a program, right? These are some of the topic areas I think that, that people could, could be focusing on. Um, and again, the list hasn't been finalized yet. So, um, you know, definitely if anyone has any input, uh, love to hear it. But, uh, it's, um, you know, you'll have. opportunity to have like minded conversations with people who have, um, who have thoughts or experience or just crazy ideas in, uh, in some of these aspects.

Chris Romeo:

Yeah.

Izar Tarandach:

I look forward to being a hummingbird this Birds of a Feather and jump from one to another,

Chris Romeo:

Yeah,

Matt Coles:

Well,

Izar Tarandach:

chunk the grenade and go

Matt Coles:

And I think, and actually, so actually it's kind of an interesting challenge for us in particular because, you know, we We're putting this, this whole thing on. We're part of the program committee. Chris is our, uh, our fearless leader over here, uh, for, for the con, operating, operating committee. And, uh, You know, so, we're staff.

Chris Romeo:

Yeah,

Matt Coles:

I've never been staff at a conference before. Uh, what do you do? We're not supposed to be, like, sitting in the presentations, or joining the Birds of a feather. We're here to help. Uh, so, we're gonna be, have them be listening in, and, Hmm, hmm.

Izar Tarandach:

But we will be available.

Matt Coles:

We will be or we will be around, I, I guess. We're all gonna be on site, uh, for, for the event, so.

Izar Tarandach:

if anybody sees us going around and unless something is on fire, by all means, stop us. We're there to talk threat modeling as well.

Matt Coles:

Right, know.

Chris Romeo:

So, so after lunch.

Izar Tarandach:

After that,

Matt Coles:

Yeah.

Chris Romeo:

We're to the workshops, right?

Izar Tarandach:

oh, the workshop.

Chris Romeo:

Yeah, we have two workshop opportunities. Um, Robert Hurlbut's doing Developing a Threat Modeling Mindset, and Jono Sosulska, sorry if I pronounced that wrong, uh, is doing From Threat Discussion to Completed Mitigation. So we've got two, uh, different kind of takes, I guess, from the workshop, but they're going to be interactive, there's going to be, they're going to be learning experiences, and we wanted to do something in the event that was more than just talks, we wanted to, if there, because we know there's going to be some new threat modeling people that'll be with us at the event, we want to give them opportunities to learn. That's one of the things that's so cool about the threat modeling community as I've experienced it is it seems like everybody's willing to be a teacher. There's not a lot of people that are like, nope, sorry, can't help you. Like, everybody shares their knowledge openly freely and they do, um, different trainings, things like that's happened with Threat Modeling Connect. I know, Izar, you've done, I think you've done one or you might have one coming up. Um, but yeah, I mean, we've got, you know, people are, we're willing to share, people are willing to share their knowledge. And so, I love that Robert and Jono are both, leading us into these workshops and, and giving folks a chance to put threat modeling into action. Like, let's not just sit around and talk about it, we're going to do some threat modeling.

Izar Tarandach:

Yeah.

Matt Coles:

We should have called this threat modeling for everyone, by everyone.

Izar Tarandach:

right. So I'm not very familiar with Jono, but with Robert, yes. And I know how good of a teacher he is. And I really look forward to people who don't have a lot of experience with, uh, trust modeling coming and getting it from him. I mean, we, we don't have training, specific trainings in this, this conference, even though there are some great offerings out there and, uh, the, the, uh, global, uh, OWASP, AppSec. just right after. They are going to have trainings and Adam will be there and some other good names in threat modeling. So definitely people, if you are looking for training, look at those. But I think that these workshops will be very, very valuable for people who are less familiar or experienced with those facets of the process. Coffee!

Chris Romeo:

So after the workshops, we go to the all important coffee break. Can't believe I just called that out.

Matt Coles:

Well, actually, it's actually important. I think we don't have the ability today to talk about our sponsors. Um, but, you know, obviously we will have folks, um, there will be folks around, um, you know, who are, are available to talk about offering other offerings, uh, in the area of front modeling. Um, you know, there's, there's certainly stuff that happens beyond just the tools and the, and the consultants.

Chris Romeo:

It's a good reminder, yeah. And coffee breaks are great times to, to network and talk to people. Like, that's my favorite thing about going to conferences these days. Like, I don't actually sit in a lot of talks, but I sit in a lot of hallways and talk to people. And the first day Izar and I met was at OWASP Boston with Mark French. And

Izar Tarandach:

OWASP San Jose, 2018. Right

Chris Romeo:

we meet before that? Well,

Matt Coles:

You and I, Chris, you and I met the first time at Boston

Izar Tarandach:

right, right, that is when I when I introduce you guys.

Chris Romeo:

yeah, we ended up sitting in the hallway at OWASP Boston with French and Justin Redberg, who was, who was with, was working with me, um, a friend of mine. Yeah, we just sat in the hallway for like four hours,

Izar Tarandach:

it

Chris Romeo:

like, I'm like, I should go to

Izar Tarandach:

and came back to the,

Chris Romeo:

Yeah, I'm like, we should go to the conference, but we were, I mean, and we were having good conversations. It wasn't like we were just sitting around doing nothing, like, we were deep in conversations and solving problems, and like, I got to the end and I'm like, that was a lot of fun. Like, that was, but we want to, we want to magnify that same thing at Threat Modeling Conference. Like, I mean, I have had the luxury of meeting almost everybody in the world of Threat Modeling. And I want to tell people that are out there, like, everybody's approachable. Like, you can walk up, Adam Shostak, like, you like, you look at Adam and you're like, I can't even talk to this guy. He's written all the books and all the things. He's the nicest man that you're ever going to meet. And he would love for someone to walk up and say hi to him and, and, and ask him a question that they've had about, I've had this question about the four questions forever. Guess what? Adam will love it if you come up and talk to him. Or you guys have written another one of the books on threat modeling. Like, I want to encourage people that are at our event, like, talk to, Talk to the, the, we're all out there, we're all just people, like, there's no, there's no hierarchy here, like, we're all just people, let's have conversations, let's use that networking time to meet each other, cause there's nothing better than meeting new people at these events,

Izar Tarandach:

and challenge challenge us. If you think that you disagree with something that we said or put out, hey, come and challenge us because we will learn from you too.

Chris Romeo:

yeah,

Izar Tarandach:

So definitely.

Matt Coles:

Constructive challenges. I mean, we're, we're, not here to get into well, we are not here to get into fights, although I think Izar would be able to take most people, um, but, uh

Izar Tarandach:

too.

Chris Romeo:

Izar will

Izar Tarandach:

a certificate. Super.

Chris Romeo:

Izar will be, yeah, that's for security training, come on, um, Izar, Izar will be doing like a jiu jitsu demonstration if so, you know,

Matt Coles:

What's in your

Izar Tarandach:

am sure there people in there who have a lot of experience in Jiu Jitsu. This is a community that goes to the gym pretty much.

Chris Romeo:

that's true. Let's keep going through our schedule here. And

Matt Coles:

you guys go to the What?

Chris Romeo:

got

Izar Tarandach:

Hmm.

Matt Coles:

You guys go to the gym? What's up with that?

Izar Tarandach:

We got get you on the mat, Matt.

Chris Romeo:

Or you can be mat, Matt.

Matt Coles:

I'll be in the back.

Izar Tarandach:

That's just the beginning. That's the first class.

Chris Romeo:

That's where you start. Um, yeah, so then we got, uh, after the coffee break, we got Threat Modeling Program, Milestones A Journey to Scale, Brenna Leath, Lisa Cook. These are two North Carolinians. They live nearby to me. I know them both. Excellent speakers. And they're coming at this from practitioner running programs inside of companies. Like what, what does it take to run programs? Um, Hitchhiker's Guide to Failing Threat Modeling. I love the name of this. Like what give me some, uh, give me some context on this one.

Matt Coles:

so this is all, this is this is, like, this is probably one of my favorites, I think, out of, well, okay, so Kim, Kim's

Chris Romeo:

can't have favorite kid, Matt. Come on.

Matt Coles:

Kim's Threat Modeling is, is like up there also, but, but this one is all about what happens when things go wrong in your threat modeling process.

Izar Tarandach:

So important.

Matt Coles:

Because we like to think of threat modeling, well, or a lot of people think of that modeling as an academic exercise. It's a paper exercise, a documentation exercise, whatever. But you can get it wrong, and it's okay to get it wrong. How do you handle it? How do you recover from it? This presentation, um, is going to, um, is definitely going to help, I think, in that area, um, for helping, helping people on, not just, not just understand where failures occur, in the process, but also how to recover from it successfully.

Chris Romeo:

Nice.

Matt Coles:

Izar, your, uh,

Izar Tarandach:

No. And to recognize that it's okay to have failures, that you can build from them too. It's not. It's not that, oh my god, it didn't work the first time, let's kick it. No, you can recover. It's asking what could go wrong, when asking what could go wrong.

Matt Coles:

there you go.

Chris Romeo:

There's another t shirt right there. Asking what could go wrong when asking what could go wrong. Infinite loop. All right. So then, then we have two more talks to kind of wrap up the day. Um, this is not a case where, like, these are talks that could have gone anywhere in the schedule. Like, we saved AI for the end, for the last, for this last segment of the day. And everybody's thinking about AI threat modeling and how does it come in. And so you've got Wael Ghandour, Everyone is a Threat Modeler: An AI-Enabled Journey for Beginners, which should be fun. And then you've got Geoff Hill, who's, uh, got a talk on Being VERY Agile with Rapid Threat Model Protyping. So you've got kind of a process, um, how do you get threat modeling done faster, and then you've got AI and threat modeling. So, I mean, you want to talk about ending the day with a bang here, like this is not, we're not ending on a, you know, we're not fizzling out, we're ending at full speed, um with with the best speakers,

Matt Coles:

And these are,

Chris Romeo:

day out.

Matt Coles:

these are some of the technical presentations. I mean, there, there's going to be, you know, the, the RTMP, uh, you know, rapid threat modeling prototyping is definitely not for the faint of heart. So this will be an exciting, exciting journey, right? And, and how do you connect it to your DevSecOps process, processes, right? And that's the AI front modeling, of course. I, I, I don't know how it'll work. I, I wonder if there's going to be good math, you know, a lot of math in this, um, you know, and, and things. It'll be interesting to see. Um, but it's, you know, these are, these are some pretty strong. Practical, like, Hey, I'm looking to integrate this into my existing environment, or I want to do something fancy and new, or what's the latest trends. These are them. They're at the end of the day. Hopefully people are, are, you know, off the coffee break and still got some energy. And, uh, so it should be exciting.

Chris Romeo:

Yeah, this is, I mean, what a day going to be. I this is, I know I'm getting excited again here, thinking about it. And we still got to wait, you know, another month six, we're six weeks out or so from the event right now. And, um, now going through this agenda and considering all these talks, I'm like, nah, I want this to happen tomorrow. Like, I don't, I don't want be patient I want to, I want to get to this event and sit in and hear all these speakers go through this experience with our audience. I think this is just going to be, going be an incredible day.

Matt Coles:

And bookending is all is Chris, both giving us an opening statement and closing remarks. So, I mean, I don't know how you're going to follow this awesome agenda here, Chris.

Izar Tarandach:

Oh, going to be some surprises there.

Chris Romeo:

there is a, there is a surprise that's being cooked up that I'm already aware of. And no, I mean, I don't think I'm getting hit with a pie, but that could happen too, as a second surprise. Yeah look, I didn't win a Super Bowl here, on. This is, no Super Bowl of threat modeling. Um, but yeah, my, my, my goal with that closing remarks is to, I'm gonna watch and listen all day long, and I'm just going to make notes throughout the day, and then I'm going to try to share what I took away, what I learned, what I, what cool things and, and what people taught me, and try to, try to just show, and very quickly, here's all the cool things that we knew, we knew that happened at this, this event. That's really my goal, my opening, hey, that's my chance to tell some jokes, I follow the Michael Scott approach, which is have a couple jokes ready, Try a couple in a row, see which one lands and then go. So we'll see how that works, if that's can become a reality. But, um, yeah, I mean, I mean, final thoughts is come to this event, be get, get to DC, be a part of Threat Modeling Con. The first is good. You can say you're at the first one. How often can you say you were at the first one ever of anything?

Izar Tarandach:

First of its name.

Chris Romeo:

I mean the first time and we hope it's going to go on for a note, weigh it well into the future as, uh, because we, we all realize and know and believe that this is something that's a growing area. Um, but I would encourage anybody out there, if you can get to DC, if you're in DC, get a ticket, be a part of this. If, uh, you can travel to DC to be a part of it, it's going to be worth your while. That's, uh, that's my guarantee to you right now. So thanks

Matt Coles:

you a, sorry, Chris, if you have, if you work with, with teams, like if you have a favorite security champion or, or somebody who needs to learn about threat modeling or be better at threat modeling, pass it along, send them in, send them. If you can't, even if you can't attend,

Chris Romeo:

yeah,

Matt Coles:

mean, this is a.

Chris Romeo:

the best place I could think of to gain, to, to gain that knowledge from so many different experts, from so many different disciplines of threat modeling. Um, it's, it's a great, would be a great place to learn. Well, thanks for listening to the security table, and we hope to see everybody in Washington, D. C. October 29th for Threat Modeling Con.

People on this episode

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

The Application Security Podcast Artwork

The Application Security Podcast

Chris Romeo and Robert Hurlbut