#148 - Threat Modeling (with Adam Shostack)

On this episode we bring on the leading expert of threat modeling (Adam Shostack) to discuss the four questions that every team should ask: What are we working on? What can go wrong? What are we going to do about it? Did we do a good enough job? Big thanks to our sponsor: Risk3Sixty - https://risk3sixty.com/whitepaper/ Adam Shostack's LinkedIn Profile - https://www.linkedin.com/in/shostack/ Learn more about threat modeling by checking out Adam's books on threat modeling Threats: What Every Engineer Should Learn From Star Wars https://amzn.to/3PFEv7L Threat Modeling: Designing for Security https://amzn.to/3ZmfLo7 Also check out the Threat Modeling Manifesto: https://www.threatmodelingmanifesto.org/ Transcripts: https://docs.google.com/document/d/1Tu0Xj9QTbVqbVJNMbNRam-FEUvfda3ZS Chapters 00:00 Introduction 06:02 The 4 Questions that allow you to measure twice cut once 09:29 How Data Flow Diagrams help teams 16:04 It's more than just looking at threats 19:23 Chasing the most fluid thing or the most worrisome thing 22:00 All models are wrong and some are useful 26:25 Actionable Remediation 31:05 LLMs and Threat Models