Threat Modeling Conference

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Chris Romeo (00:11):
All right, here go.
Hey

Matt Coles (00:12):
words.
First word.

we're playing the security table charades today.
And so, uh, welcome to thesecurity table.
My name is Chris Romeo, joinedby Matt Coles, Izar Tarandach.
And we were spending the last 10to 15 minutes really focused on
Izar's OpSec.
of his little picture frame thatthing is called behind him that

(00:36):
he has covered in baking paperso as not to have a reflection
so you cannot see what's on hisscreen and so operational
security it's important it's foryou course can see your password
on that sticky note behind yourhead which i think is

Izar Tarandach (00:51):
So tell me, cause I forgot it.

Is that the password for your Wi Fi or just
your bank account that I'mlooking at there?

That one, office?

Yeah, there it is! I hope that you didn't make that
your password, that'd be prettyfunny though.
Alright, we are here for someamount of seriousness now.
We're here to talk about ThreatModeling Con.
So, uh, for folks that don'tknow, We're doing the first ever
threat modeling conferencethat's, that I'm aware of that's
ever happened in our industry.

(01:23):
Um, I, I have the, uh, was askedto be the global chair of the
event, and so I've been superexcited to help behind the
scenes, knit this whole thingtogether.
Matt Izar were part of theprogram committee as well as
doing a bunch of other things.
So, but primarily helping towade through all the incredible.
Submissions we had about variousfacets of threat modeling.

(01:47):
And so before we dive in andtalk in more depth, just in case
you're curious.
Now, the event's happeningOctober 29th in Washington, DC.
This is a Sunday.
This is the day before OWASPGlobal happens in Washington,
DC, 30th and 31st, uh, which isa Monday and Tuesday, the 29th.
The Sunday right before theOWASP conference is when we're
doing Threat ModelingConference.

(02:09):
It's in person.
It is at the Marriott Marquis,the same place the OWASP event
is, is happening.
So those are the details.
Um, you can, if you, you canliterally just search for Threat
Modeling Conference.
We'll put some references in theshow notes if you want to click
on a link to get to theregistration page to see all the
other things that we're talkingabout here.
But we thought we would spend afew minutes.

(02:29):
talking through the agenda forthis event and really
highlighting some of the thingswe're excited about because we
are excited about a lot ofdifferent things that are
happening here.
So, um, just to kind of set thestage for people, like what,
from your guys perspective, likewhat's the, what's the benefit
and value?
of us having a threat modelingconference.
Like, why are we even botheringto do this?

Why?
So,

Matt Coles (02:58):
Have you started that already?

yeah, no, I, I think that the first one is that
apart from other OWASP events.
and perhaps an RSA Conf here andthere.
It's going to be the first timethat you are going to have a lot
of people, actually most of theThreat Modeling Manifesto team

(03:23):
together under one roof at thesame time.
So I see a lot of value in that,not only as a member of the
group, but to people who wouldlike to come and talk about the
Manifesto and what took us thereand stuff like that.
Uh, to be sure, it's not thesame team that's doing both
things, it's a distinct teamwith some overlap between the

(03:46):
Threat Modeling Manifesto Groupand the ThreatModCon, and that
was by design, but uh, I'm veryexcited, first, about having all
of us close in the same placetalking about the thing that we
like so much.
And the thing that got me themost excited, especially when

(04:09):
being part of the programcommittee, was that all of a
sudden we don't have to worryabout talking too much about
threat modeling.
We had this great opportunity ofsaying, yes, we have a full
agenda of threat modeling, andwe don't have to, for
clarification, Matt and I, andChris, we participate in other

(04:30):
events, uh, program committees,and it's always that battle
between, I don't think thatthere's enough threat modeling
being, being addressed to, yeah,we have to talk about other
stuff as well.
So it was really, reallygratifying to once in my life,
not have to worry about that.
And we're going to get more intothat, but, uh, the, the, uh,

(04:53):
different approaches that we gotin the, the submissions and
seriously, thank you people outthere, we got some really,
really, really great submissionsat times.
It was, it was hard to make upour minds or, or to, to decide
what to put in there.
And that's a whole differentepisode.
We could talk about selectionsfor events for a whole hour.

(05:18):
But I think that we got somegreat ones and we built a
program that I'm really excitedto be able to deliver out there.

Matt Coles (05:26):
Yeah, I definitely, I think we should, we should
definitely, I'll, I'll justreiterate that thank you to
everyone in the community whosubmitted, um, submitted, uh,
you know, presentations and, andworkshops for this.
Um, so we are, we're doingpresentations, we're doing
workshops, we have a Birds ofthe Feather, uh, uh, that will
be, will be happening in Birdsof the Feather within the threat

(05:48):
modeling, uh, space.
So, you know, if you'reinterested in certain topics of
threat, subtopics of threatmodeling, uh, we have a, Not a
keynote, keynote, uh, wherewe'll be talking, I think,
really interesting and importantfor, for folks to get, even if
they're experienced or ifthey're new, to learn the
history of threat modeling and,and from some, some pretty

(06:09):
interesting folks who will talkabout their, their own
experiences and deliver this.
It's a very personal thing.
And we should, we shouldmention, you know, the, the
theme of this, of the conferencethis year.
The first ever is threatmodeling is for everyone, right?
So this is all about.
Um, you know, the, and you seeit, and I think we reinforce

(06:30):
this with the talks that aregoing to be given, and even the
workshops themselves.
This is not some academic, theseare not academic presentations.
These are, these are talks abouthow real people took real
challenges and solved them with,with real methods of threat
modeling, uh, and, and taking itfrom the ground up, right?
Literally, how to conduct, howto, how to conduct, uh, you

(06:53):
know, uh, discussions aroundthreat modeling.
How to, uh, build threat models.
How to deal with problems duringthe process.
Dealing with the, with theresults, and then the, some
various techniques to apply it.
And I think we'll, we'll talkabout those in a little bit more
detail.
But, um, but this is going to bea, definitely an exciting, um,
conference for those.

(07:14):
Again, for folks who are new,you're going to learn a ton of
stuff and then things that youcan apply pretty much
immediately as soon as you getback to your day to day lives.
Uh, and for, even forexperienced practitioners, this
has something for them.

Let's, let me, uh, just kind of set the stage for
this keynote because I knowMatt, you're, you're kind of
the, the person who kind ofknitted this whole thing
together for us.
So let me, um, let me justintroduce it.
And talk about some of thepeople that are part of it, that
you've gathered together here,and then we can see kind of,
then you can give it, you cankind of explain maybe a little

(07:48):
bit more depth what people aregoing to experience here, um,
and so the keynote is, is a

Matt Coles (07:53):
Izar with his clicky keyboard over there,

Yeah, he's our, he's, he's, uh, you know,

Matt Coles (07:58):
Bang, bang,

yeah, he's, uh, we're, we're working on the, uh,
the mute button.
Um, so the keynote though, it's,you're using the, the theme of
the conference, Threat Modelingis for Everyone.
Let me just highlight the peoplethat are going to be a part of
this, because this is reallyincredible.
We've got Brook Schoenfield,someone who we all love, and we
think of as the, you know, oneof our, I mean, he calls himself

(08:21):
the elder statesman of AppSec.
So, um, that's his title.
I didn't, I didn't assign it tohim, but he is right.
He's somebody who's been aroundour, our industry for a long
time has built threat modelingprograms and done everything in
the threat modeling sphere.
Um, you've got SebaDeleersnyder, who very, very,
uh, prominent threat modelingconsultant and trainer and

(08:42):
teacher.
Uh, as well as very prominentOWASP, uh, contributor as well.
Um, we've got Tanya, TanyaJanka, who's, uh, has done a,
has has done a lot of, oftalking about threat modeling
and talks about a lot of otherthings in the world of AppSec,
and, uh, I think has a very.
unique perspective as far as howshe comes at these things.
Kind of different than, um, thana lot of the ways that I think

(09:05):
others of us think about it.
You've got Robert Hurlbut, who'sa good friend of mine co host on
the AppSec podcast.
Um, he's done threat modeling inthe corporate environment, in
the government environment, inthe, uh, You know, individual
kind of startup environment,like he's done threat modeling
everywhere.
And then John Taylor as well,someone with a, with a huge

(09:26):
amount of experience andknowledge.
And then I forgot the mostimportant, not the most
important one, but the guy whoknitted it all together.
Matt Coles is, is going to bepart of this conversation as
well.
So, um, so Matt, you kind ofcame up with the idea and it's,
I don't want to call it, it'snot the un.
Keynote, keynote.

Matt Coles (09:44):
It was not a keynote keynote.
I mean, I forget

but it, but it's something, it's different than
what people are, have maybeexperienced before.
So give us some perspectiveabout how you're gonna, you're
gonna knit the, this group of,of experts, threat modeling
people that know so much.
How knit this together into a...
a single, uh, keynote.

Matt Coles (10:04):
Uh, with luck, we'll do it successfully.
Uh, so, um, because obviouslythis is, so this is not a panel.
Uh, this is more of a set ofvignettes along a path or a
continuum of Threat Molling.
Starting with the history ofThreat Modeling, where we, where
we began in the industry.
I mean, obviously we can't goway, way back.

(10:25):
So it'll be, there'll be a pointin time when, when threat
modeling really started.
And I, and I, I know this isgoing to get exciting because
we're, you know, Brook, ourelder statesman is going to, to
kick us off, uh, in, in thatprocess.
And then as we progress throughtime, we're going to touch upon,
uh, different aspects of threatmodeling from, from the
perspective of, of, uh, theindividual who's presenting.

(10:47):
So, uh, you know, we'll, we'llget the insight from, from Seba
and Tanya, uh, Robert and John,um, following Brook, uh, in, in
the aspects that they want tocover with respect to, you know,
maybe a challenge that they,that they ran into and overcame
in, when doing threat modeling,um, or, or an evolution that

(11:07):
they, uh, that either that theytook advantage of, uh, in how
threat modeling is done orsomething that they actually
innovated on.
And, and so we'll, we'll lookfrom the, the very beginnings
when, you know, primarily itwas, you know, governments and
security people doing this totoday where now it's again, for
everyone, right?
For developers and others whoare interested in threat

(11:28):
modeling, this is no longer anivory tower discussion.
So, uh, if we're successful, um,and I'll be moderating this, uh,
this, not a panel, not akeynote, keynote, introduction
history to threat modeling, um,uh, where, uh, so hopefully
we'll keep everyone on time andon track and, uh, and it'll be
an exciting, uh, exciting Set ofvignettes.

(11:52):
Uh, uh, it should be veryinteresting.

Yeah, I'm, I'm, I'm very excited for how this is
going to all come together.
So after we finish the keynote,then we're going to split into
two different tracks.
So we're going to have somedifferent opportunities, um,
things for people to talk about.
I mean, in that first segment,we've got Avi Douglen, who's a
very well known name in theworld of threat modeling,
another, uh, Another author ofthe manifesto with us, um,

(12:20):
talking about the threats to ourcommunity.
And at the same time, you've gotTyson Garrett, shifting threat
models from static to dynamic.
I mean, the challenge I'm havingwith this agenda is, ha ha ha
why'd you give me so manydifferent things?

The challenge here is going to be like running
from one room to the other.

Yep

It's one of those cases where I really want
to divide myself and like split.
because there is just going tobe so much interesting stuff
going on.
I mean, Avi is looking at thethreats of our community from a
position of, okay, it's good tothreat model systems and all
that, but what else can we dowith this?

(12:59):
Can we apply it to a higherlevel?
And then Tyson is coming with,okay, how do you take this
threat model thing here andthat's a static, it's a document
and stuff and make it respond toa landscape that's always
changing.

Matt Coles (13:15):
So,

it's gonna be so hard.

Matt Coles (13:16):
Something else to keep in mind is we're getting,
we'll be getting close toHalloween on, on this, uh, on
this journey And, uh, we knowthat Avi is, is, is famous, or
infamous.
for, uh, wearing costumes topresentations.
So we'll have to see what, we'llhave to see when it comes in.

what comes up with and shows us.
So, yeah, so that's, I mean,that's our first segment between
the two different rooms.
And then, same problem that I'mgoing to say over and over
again.
Like, the next segment afterthat, you've got Kim Wuyts,
another friend of ours, ShiftingPrivacy In.
And you've got Edouard Stoka,Classic Brainstorming Threat
Modeling vs.
Threat Modeling Tools.

(13:55):
So you've got privacy on oneside, and you've got kind of
manual, manual threat modelingversus, versus using tooling to
generate this.
It's, once again, it's justanother, another challenge as
far as which room you go to.
And, you know, you just run,literally run back and forth and
hear a word in one.
I don't know how fast you are.
I'm probably not that fast

Matt Coles (14:15):
If we, if we were smart, we would have gotten the
ballroom that has the dividers.
We could open the dividers andyou could be like sort of
between both rooms

Sitting in the middle And, just looking both
sides.

Maybe we should have done a one, one track
conference.
then we would have been able tojust sit in there the whole
time.
But, but the problem is we hadso many awesome speakers and so
many awesome submissions thatcame in that it was so tough to
say, well this is the line.
Like we're only going to be ableto choose a

wait, wait, wait.

to

I think that the original plan was to have a one

was, it

Matt Coles (14:44):
Yeah, It would have been, four

were just so good.
It's

Matt Coles (14:48):
Yeah,

And so, such

Matt Coles (14:49):
It would have been, it would have been four
presentations and two workshopsand It wouldn't have been as
robust and exciting and I thinkwe were getting some, we're
getting, I mean, obviously we'regetting a lot of really good
presenters who we've known, manywho we've known throughout, you
know, throughout our time and somany great topics, again,

(15:09):
covering the gamut from, frombeginner on up and, and whether
you're doing whiteboards oryou're doing automation or
you're doing whatever, um, youknow, it's, it's something for
everybody.

And then in the next hour after that, one of the
ones that I've got my eye is theOperational-Intersectional
Threat Modeling, Dr.
Michael Loadenthal.
So, um, I don't remember how Igot connected to Dr.
Loadenthal, but I did an episodewith him of the Threat Modeling
Podcast, and he just takesthreat modeling to a different

(15:44):
place than I've ever gone withit before.
Like, he's used threat modelingto, uh, to assist members of
Congress in the United States toprofile their digital lives.
And it's, I know intellectually,like, threat modeling, of
course, you can threat modelanything.
I say that all the time.
But he's somebody who's done it.
He's taken threat modeling toother places, and I'm just

(16:06):
fascinated to see, how did youapply this?
How did you make this work insomething that's not just a web
application with a database anda React front end attached to
it?

It's the power of asking what could go wrong,
right?

Matt Coles (16:21):
Right, and then, and then opposite that is how to
effectively do triage of threatmodels, right?
So this isn't, this is how doyou do, on one hand, doing, how
do you do threat modeling in aparticular environment and, and
for, uh, some, some.
you know, and adapting to newtechniques.

(16:42):
And then how do you make iteffective when you're doing it?
And so it's really hard tochoose.
It's going to be really hard tochoose.
I mean, do you want to look forinnovation or, or do you want to
help for work on facilitation?
And so, um, you know, hopefullyfolks will take good notes and
we can share.

Yeah.

And then we make our way to lunch.
And the thing that we're excitedabout for lunch is that's when
we're going to do our birds of afeather.
And so, we'll have the lunchenvironment set up where people
can, there'll be cards on eachtable of different topics, and
people can join differentconversations, different tables
to have a conversation about aparticular facet of threat
modeling.

(17:20):
I know those are stilldeveloping right now.
So we don't even have a finishedlist at this point.
We're iterating on that, tryingto get the best possible list,
but that's, it's going to bebirds of a feather focused on
threat modeling.
Like normally I go to birds of afeather at conferences and maybe
there's one table out of 50talking about threat modeling,
but here's going to be in anenvironment where everybody's

(17:41):
talking about threat modeling.

So confession time.
I've never done a Birds of aFeather.

Really?

Matt Coles (17:48):
Wow, that's what, actually, it's, for, for the
limited number of conferencesthat I've gone to over the
years, Birds of the Feather, Ithink, is one of the best parts
of, because you get, you getpeople together who, who want to
share similar ideas, and, andthere's, you can get really in
depth discussions about aparticular topic.

(18:10):
Share ideas, debate, argue aboutdifferent ideas, but you know,
you're, you're, it's, it's abounded conversation.
It's not like, oh, I have thistopic and I have this topic, and
you're all over the place.
It's, it's much more focused.
I think it lends itself well togreat conversations, good
networking.
Right?
Especially if, you know, if thebirds of a feather work out

(18:30):
where if we, for instance, we'regoing to talk about, you know,
threat modeling as code, as atopic, right?
It'd be great to haveconversations with people who,
who use the various tools thatare now out there, right?
Or threat modeling with AI.
Uh, or, or even, you know,business aspects of how, how to
build a program, right?
These are some of the topicareas I think that, that people

(18:51):
could, could be focusing on.
Um, and again, the list hasn'tbeen finalized yet.
So, um, you know, definitely ifanyone has any input, uh, love
to hear it.
But, uh, it's, um, you know,you'll have.
opportunity to have like mindedconversations with people who
have, um, who have thoughts orexperience or just crazy ideas

(19:13):
in, uh, in some of theseaspects.

Yeah.

I look forward to being a hummingbird this
Birds of a Feather and jump fromone to another,

Yeah,

Matt Coles (19:23):
Well,

chunk the grenade and go

Matt Coles (19:24):
And I think, and actually, so actually it's kind
of an interesting challenge forus in particular because, you
know, we We're putting this,this whole thing on.
We're part of the programcommittee.
Chris is our, uh, our fearlessleader over here, uh, for, for
the con, operating, operatingcommittee.
And, uh, You know, so, we'restaff.

Yeah,

Matt Coles (19:46):
I've never been staff at a conference before.
Uh, what do you do?
We're not supposed to be, like,sitting in the presentations, or
joining the Birds of a feather.
We're here to help.
Uh, so, we're gonna be, havethem be listening in, and, Hmm,
hmm.

But we will be available.

Matt Coles (20:02):
We will be or we will be around, I, I guess.
We're all gonna be on site, uh,for, for the event, so.

if anybody sees us going around and unless
something is on fire, by allmeans, stop us.
We're there to talk threatmodeling as well.

Matt Coles (20:16):
Right, know.

So, so after lunch.

After that,

Matt Coles (20:20):
Yeah.

We're to the workshops, right?

oh, the workshop.

Yeah, we have two workshop opportunities.
Um, Robert Hurlbut's doingDeveloping a Threat Modeling
Mindset, and Jono Sosulska,sorry if I pronounced that
wrong, uh, is doing From ThreatDiscussion to Completed
Mitigation.
So we've got two, uh, differentkind of takes, I guess, from the
workshop, but they're going tobe interactive, there's going to

(20:46):
be, they're going to be learningexperiences, and we wanted to do
something in the event that wasmore than just talks, we wanted
to, if there, because we knowthere's going to be some new
threat modeling people that'llbe with us at the event, we want
to give them opportunities tolearn.
That's one of the things that'sso cool about the threat
modeling community as I'veexperienced it is it seems like
everybody's willing to be ateacher.

(21:07):
There's not a lot of people thatare like, nope, sorry, can't
help you.
Like, everybody shares theirknowledge openly freely and they
do, um, different trainings,things like that's happened with
Threat Modeling Connect.
I know, Izar, you've done, Ithink you've done one or you
might have one coming up.
Um, but yeah, I mean, we've got,you know, people are, we're
willing to share, people arewilling to share their
knowledge.
And so, I love that Robert andJono are both, leading us into

(21:29):
these workshops and, and givingfolks a chance to put threat
modeling into action.
Like, let's not just sit aroundand talk about it, we're going
to do some threat modeling.

Yeah.

Matt Coles (21:39):
We should have called this threat modeling for
everyone, by everyone.

right.
So I'm not very familiar withJono, but with Robert, yes.
And I know how good of a teacherhe is.
And I really look forward topeople who don't have a lot of
experience with, uh, trustmodeling coming and getting it
from him.
I mean, we, we don't havetraining, specific trainings in

(22:03):
this, this conference, eventhough there are some great
offerings out there and, uh,the, the, uh, global, uh, OWASP,
AppSec.
just right after.
They are going to have trainingsand Adam will be there and some
other good names in threatmodeling.
So definitely people, if you arelooking for training, look at
those.
But I think that these workshopswill be very, very valuable for

(22:25):
people who are less familiar orexperienced with those facets of
the process.
Coffee!

So after the workshops, we go to the all
important coffee break.
Can't believe I just called thatout.

Matt Coles (22:39):
Well, actually, it's actually important.
I think we don't have theability today to talk about our
sponsors.
Um, but, you know, obviously wewill have folks, um, there will
be folks around, um, you know,who are, are available to talk
about offering other offerings,uh, in the area of front

(22:59):
modeling.
Um, you know, there's, there'scertainly stuff that happens
beyond just the tools and the,and the consultants.

It's a good reminder, yeah.
And coffee breaks are greattimes to, to network and talk to
people.
Like, that's my favorite thingabout going to conferences these
days.
Like, I don't actually sit in alot of talks, but I sit in a lot
of hallways and talk to people.
And the first day Izar and I metwas at OWASP Boston with Mark
French.
And

OWASP San Jose, 2018.
Right

we meet before that?
Well,

Matt Coles (23:29):
You and I, Chris, you and I met the first time at
Boston

right, right, that is when I when I introduce
you guys.

yeah, we ended up sitting in the hallway at OWASP
Boston with French and JustinRedberg, who was, who was with,
was working with me, um, afriend of mine.
Yeah, we just sat in the hallwayfor like four hours,

it

like, I'm like, I should go to

and came back to the,

Yeah, I'm like, we should go to the conference, but
we were, I mean, and we werehaving good conversations.
It wasn't like we were justsitting around doing nothing,
like, we were deep inconversations and solving
problems, and like, I got to theend and I'm like, that was a lot
of fun.
Like, that was, but we want to,we want to magnify that same
thing at Threat ModelingConference.
Like, I mean, I have had theluxury of meeting almost

(24:14):
everybody in the world of ThreatModeling.
And I want to tell people thatare out there, like, everybody's
approachable.
Like, you can walk up, AdamShostak, like, you like, you
look at Adam and you're like, Ican't even talk to this guy.
He's written all the books andall the things.
He's the nicest man that you'reever going to meet.
And he would love for someone towalk up and say hi to him and,
and, and ask him a question thatthey've had about, I've had this
question about the fourquestions forever.

(24:34):
Guess what?
Adam will love it if you come upand talk to him.
Or you guys have written anotherone of the books on threat
modeling.
Like, I want to encourage peoplethat are at our event, like,
talk to, Talk to the, the, we'reall out there, we're all just
people, like, there's no,there's no hierarchy here, like,
we're all just people, let'shave conversations, let's use
that networking time to meeteach other, cause there's
nothing better than meeting newpeople at these events,

and challenge challenge us.
If you think that you disagreewith something that we said or
put out, hey, come and challengeus because we will learn from
you too.

yeah,

So definitely.

Matt Coles (25:06):
Constructive challenges.
I mean, we're, we're, not hereto get into well, we are not
here to get into fights,although I think Izar would be
able to take most people, um,but, uh

too.

Izar will

a certificate.
Super.

Izar will be, yeah, that's for security training,
come on, um, Izar, Izar will bedoing like a jiu jitsu
demonstration if so, you know,

Matt Coles (25:25):
What's in your

am sure there people in there who have a lot
of experience in Jiu Jitsu.
This is a community that goes tothe gym pretty much.

that's true.
Let's keep going through ourschedule here.
And

Matt Coles (25:36):
you guys go to the What?

got

Hmm.

Matt Coles (25:38):
You guys go to the gym?
What's up with that?

We got get you on the mat, Matt.

Or you can be mat, Matt.

Matt Coles (25:45):
I'll be in the back.

That's just the beginning.
That's the first class.

That's where you start.
Um, yeah, so then we got, uh,after the coffee break, we got
Threat Modeling Program,Milestones A Journey to Scale,
Brenna Leath, Lisa Cook.
These are two North Carolinians.
They live nearby to me.
I know them both.
Excellent speakers.
And they're coming at this frompractitioner running programs
inside of companies.
Like what, what does it take torun programs?
Um, Hitchhiker's Guide toFailing Threat Modeling.

(26:11):
I love the name of this.
Like what give me some, uh, giveme some context on this one.

Matt Coles (26:17):
so this is all, this is this is, like, this is
probably one of my favorites, Ithink, out of, well, okay, so
Kim, Kim's

can't have favorite kid, Matt.
Come on.

Matt Coles (26:27):
Kim's Threat Modeling is, is like up there
also, but, but this one is allabout what happens when things
go wrong in your threat modelingprocess.

So important.

Matt Coles (26:38):
Because we like to think of threat modeling, well,
or a lot of people think of thatmodeling as an academic
exercise.
It's a paper exercise, adocumentation exercise,
whatever.
But you can get it wrong, andit's okay to get it wrong.
How do you handle it?
How do you recover from it?
This presentation, um, is goingto, um, is definitely going to

(27:01):
help, I think, in that area, um,for helping, helping people on,
not just, not just understandwhere failures occur, in the
process, but also how to recoverfrom it successfully.

Nice.

Matt Coles (27:15):
Izar, your, uh,

No.
And to recognize that it's okayto have failures, that you can
build from them too.
It's not.
It's not that, oh my god, itdidn't work the first time,
let's kick it.
No, you can recover.
It's asking what could go wrong,when asking what could go wrong.

Matt Coles (27:31):
there you go.

There's another t shirt right there.
Asking what could go wrong whenasking what could go wrong.
Infinite loop.
All right.
So then, then we have two moretalks to kind of wrap up the
day.
Um, this is not a case where,like, these are talks that could
have gone anywhere in theschedule.
Like, we saved AI for the end,for the last, for this last
segment of the day.
And everybody's thinking aboutAI threat modeling and how does

(27:53):
it come in.
And so you've got Wael Ghandour,Everyone is a Threat Modeler: An
AI-Enabled Journey forBeginners, which should be fun.
And then you've got Geoff Hill,who's, uh, got a talk on Being
VERY Agile with Rapid ThreatModel Protyping.
So you've got kind of a process,um, how do you get threat
modeling done faster, and thenyou've got AI and threat
modeling.
So, I mean, you want to talkabout ending the day with a bang

(28:14):
here, like this is not, we'renot ending on a, you know, we're
not fizzling out, we're endingat full speed, um with with the
best speakers,

Matt Coles (28:23):
And these are,

day out.

Matt Coles (28:25):
these are some of the technical presentations.
I mean, there, there's going tobe, you know, the, the RTMP, uh,
you know, rapid threat modelingprototyping is definitely not
for the faint of heart.
So this will be an exciting,exciting journey, right?
And, and how do you connect itto your DevSecOps process,
processes, right?
And that's the AI frontmodeling, of course.

(28:45):
I, I, I don't know how it'llwork.
I, I wonder if there's going tobe good math, you know, a lot of
math in this, um, you know, and,and things.
It'll be interesting to see.
Um, but it's, you know, theseare, these are some pretty
strong.
Practical, like, Hey, I'mlooking to integrate this into
my existing environment, or Iwant to do something fancy and
new, or what's the latesttrends.
These are them.

(29:05):
They're at the end of the day.
Hopefully people are, are, youknow, off the coffee break and
still got some energy.
And, uh, so it should beexciting.

Yeah, this is, I mean, what a day going to be.
I this is, I know I'm gettingexcited again here, thinking
about it.
And we still got to wait, youknow, another month six, we're
six weeks out or so from theevent right now.
And, um, now going through thisagenda and considering all these
talks, I'm like, nah, I wantthis to happen tomorrow.
Like, I don't, I don't want bepatient I want to, I want to get

(29:34):
to this event and sit in andhear all these speakers go
through this experience with ouraudience.
I think this is just going tobe, going be an incredible day.

Matt Coles (29:41):
And bookending is all is Chris, both giving us an
opening statement and closingremarks.
So, I mean, I don't know howyou're going to follow this
awesome agenda here, Chris.

Oh, going to be some surprises there.

there is a, there is a surprise that's being
cooked up that I'm already awareof.
And no, I mean, I don't thinkI'm getting hit with a pie, but
that could happen too, as asecond surprise.
Yeah look, I didn't win a SuperBowl here, on.
This is, no Super Bowl of threatmodeling.
Um, but yeah, my, my, my goalwith that closing remarks is to,
I'm gonna watch and listen allday long, and I'm just going to

(30:18):
make notes throughout the day,and then I'm going to try to
share what I took away, what Ilearned, what I, what cool
things and, and what peopletaught me, and try to, try to
just show, and very quickly,here's all the cool things that
we knew, we knew that happenedat this, this event.
That's really my goal, myopening, hey, that's my chance

(30:38):
to tell some jokes, I follow theMichael Scott approach, which is
have a couple jokes ready, Try acouple in a row, see which one
lands and then go.
So we'll see how that works, ifthat's can become a reality.
But, um, yeah, I mean, I mean,final thoughts is come to this
event, be get, get to DC, be apart of Threat Modeling Con.
The first is good.
You can say you're at the firstone.

(30:59):
How often can you say you wereat the first one ever of
anything?

First of its name.

I mean the first time and we hope it's going to
go on for a note, weigh it wellinto the future as, uh, because
we, we all realize and know andbelieve that this is something
that's a growing area.
Um, but I would encourageanybody out there, if you can
get to DC, if you're in DC, geta ticket, be a part of this.
If, uh, you can travel to DC tobe a part of it, it's going to

(31:25):
be worth your while.
That's, uh, that's my guaranteeto you right now.
So thanks

Matt Coles (31:29):
you a, sorry, Chris, if you have, if you work with,
with teams, like if you have afavorite security champion or,
or somebody who needs to learnabout threat modeling or be
better at threat modeling, passit along, send them in, send
them.
If you can't, even if you can'tattend,

yeah,

Matt Coles (31:46):
mean, this is a.

the best place I could think of to gain, to, to
gain that knowledge from so manydifferent experts, from so many
different disciplines of threatmodeling.
Um, it's, it's a great, would bea great place to learn.
Well, thanks for listening tothe security table, and we hope
to see everybody in Washington,D.
C.
October 29th for Threat ModelingCon.

All Episodes

Episode Transcript

Popular Podcasts

Dateline NBC

24/7 News: The Latest

Therapy Gecko

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Threat Modeling Conference

Episode Transcript

Popular Podcasts

.css-r6mb8g{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:1;overflow:hidden;}Dateline NBC

24/7 News: The Latest

Therapy Gecko

All Episodes

Threat Modeling Conference

Dateline NBC