TMI newsletter 5 – Threat Modeling: do it early, do it often, do it as a team


Hi there, welcome to our monthly edition of the Threat Modeling Insider.
With this newsletter, we deliver guest articles, white papers, curated articles and tips on threat modeling that will help you bootstrap or elevate your security knowledge and skills.

This months “TMI” line-up features:

Threat modeling: do it early, do it often, do it as a team

Guest article by Irene Michlin, Senior Managing Consultant at IBM

This blog comes at the aftermath of Open Security Summit – an event where security professionals get together to exchange their views and experiences. I’ve attended after a gap of one year, and it really brought home how much the practice of threat modeling moved towards mainstream compared even to 2017.

Of course, being security people, we didn’t celebrate (much), instead focusing on the next obstacle to adoption. And almost everyone who does threat modeling in industry agrees that this obstacle is the heavy weight of the methodology (real or perceived, doesn’t matter). Perceptions might be unfair, but it’s pointless to argue with developers about them, by the way.   …

Toreon discount for our HITB training

You need a game plan to bootstrap or improve your threat modeling practice. We will explain how to do this and will provide your with our new Thr

eat Modeling Playbook. This playbook provides the main steps to establish a threat modeling practice for every type of organization or development team, regardless of your size and maturity level.

We will release the playbook under the CC BY-SA 4.0 license and donate it to the OWASP Threat Modeling project for our community to use and improve it.

More details and registration are available on our website.

Curated threat modeling content

OWASP project Automated Threat Handbook


Colin and Tin have created a list of automated attacks against web applications.

When you are threat modeling and bots or automated attacks are

in scope, this OWASP handbook is a fantastic checklist of automated threats against web applications accompanied by a range of possible mitigations you can employ to partially or fully mitigate them.

You can download the handbook here, and check the OWASP project here.




Privacy threat modeling with LINDDUN


Privacy has become a key issue in today’s e-society, and I assume you know about GDPR, right? It is really important that privacy is integrated in the software development lifecycle as soon as possible.

A couple of researchers at the University of Leuven in Belgium (All good things come from Belgium …) have created a  privacy threat analysis methodology called LINDDUN. See the picture below for the 6 step approach. This methodology covers your “Privacy by Design” needs nicely. A step-by-step tutorial of the current version can be found on the download page.

Tip of the month: Play EoP online!

The original EoP game is designed to be played with everyone together in a room. Unfortunately, this doesn’t work well for open source projects where the contributors are distributed around the globe and need to play asynchronously. Fraser ‘zeroXten‘ Scott has created an online version that acts as a virtual card deck.

We aim to make this a community driven newsletter and welcome your input or feedback. If you have content or pointers for the next edition, please share them with us.

Next month we are on holiday, we will be back in full force in August. Enjoy your vacation and make some memories to remember forever!

Kind regards,
Sebastien Deleersnyder
CEO, Toreon

Start typing and press Enter to search

Shopping Cart