Thanks for sharing your knowledge on this, I am studying for CISSP and your video has helped me understand how a Threat Modelling exercise is actually done.
I will conduct my first Threat Modeling session with a developer team soon and your video is super helpful to understand all the details. Very simple and informative. Keep up the good work!
Glad to hear it! That's why I made this. When I first started out with threat modeling, I was in the same situation and noticed how few people actually show their process and instead focus on "tools" that felt ultimately unhelpful. Hope your session goes well.
I don't want to make a whole video on PASTA since I haven't used it enough. PASTA is more geared towards internal teams and has you work with your dev/systems steams more closely. It needs to be more ingrained in the planning process. But it is great!
Nicely explanation, I have one question, why you are doing this in manually, there is a tool from Microsoft. That tool will do all things automatically for you. Any specific reason you do this manually?
This is actually a really great question. Sometimes you can over automate things. I don't like the MS tool because unless you're seasoned and have the tool configured properly, it's overwhelming and ultimately unhelpful. You need to spend so much more time getting the tool set properly to make your threat models useful. I don't recommend it unless you already know what you're doing.
That's a good question! I actually don't know the answer to that. I think I would start by segmenting off the environment like normal, then make sure to include mutual authentication and allow list authorization into my trust requirements. If any component didn't enforce those two things in every part of each segment, then I'd flag that as a new vulnerability to be remediated. This is why I like standard security patterns that you can enforce internally. That way, there is no guessing. "Doesn't authenticate through our standard process? Vulnerability, remediate it immediately."
Really good for starting thread modeling.
Thanks for sharing your knowledge on this, I am studying for CISSP and your video has helped me understand how a Threat Modelling exercise is actually done.
Happy to help!
A great introduction to beginners. I learned a lot. Thank you!
I will conduct my first Threat Modeling session with a developer team soon and your video is super helpful to understand all the details. Very simple and informative. Keep up the good work!
Glad to hear it! That's why I made this. When I first started out with threat modeling, I was in the same situation and noticed how few people actually show their process and instead focus on "tools" that felt ultimately unhelpful. Hope your session goes well.
It's been a game changer when working with developers and explaining threat modeling to them.
Thanks. The video helped me understand the threat modelling concept better.
The information you get from this video is a solid introduction. Great job!!! Thank you.
This is the most useful video on threat modeling on the internet! thank you for making it!
Great explanation and example. Thanks!
@11:42 minutes, you mentioned PASTA, can you please make a video about PASTA vs STRIDE and other threat modelling approaches?
I don't want to make a whole video on PASTA since I haven't used it enough. PASTA is more geared towards internal teams and has you work with your dev/systems steams more closely. It needs to be more ingrained in the planning process. But it is great!
Thanks! awesome demonstration on how to perform Threat Modeling.
Thank you!
Very nice explanation! Thank you!
this awesome. hoping you make one more complex as well !
Excellent! Thank you very much!
Nicely explanation, I have one question, why you are doing this in manually, there is a tool from Microsoft. That tool will do all things automatically for you. Any specific reason you do this manually?
This is actually a really great question. Sometimes you can over automate things. I don't like the MS tool because unless you're seasoned and have the tool configured properly, it's overwhelming and ultimately unhelpful. You need to spend so much more time getting the tool set properly to make your threat models useful. I don't recommend it unless you already know what you're doing.
Thanks heaps for this video super helpful.
Would you define trust boundries around every single "node" if you are to follow the Zero Trust framework?
That's a good question! I actually don't know the answer to that. I think I would start by segmenting off the environment like normal, then make sure to include mutual authentication and allow list authorization into my trust requirements. If any component didn't enforce those two things in every part of each segment, then I'd flag that as a new vulnerability to be remediated.
This is why I like standard security patterns that you can enforce internally. That way, there is no guessing. "Doesn't authenticate through our standard process? Vulnerability, remediate it immediately."
Very informative. Thanks
Glad it was helpful!
Thank you, really easy to understand
Very informative 🙏
Really good video, thank you!
Thanks a lot.
Maybe I'm just blind but I don't see the completed threat model report in the description? :(
That's a good point. It's there, but not labeled as the completed threat model. It's the aivillage link. I will update the description.
I need some help can you please advise how can i reach you.
We can message on here. What can I help you with?
Awesome!!