Using the Threat Modeling Manifesto to Build an Enterprise Threat Modeling Program

Explore the fundamentals of building an Enterprise-class threat modeling program using the Threat Modeling Manifesto in this 57-minute LASCON conference talk. Learn why threat modeling is crucial in today's security landscape, how to leverage the manifesto created by 15 security experts, and gain practical tips for implementation. Discover the four key questions, benefits, and principles of effective threat modeling. Understand the importance of collaboration, iterative approaches, and the 30-minute rule. Delve into positive patterns, antipatterns, and useful toolkits for choosing a solid process. Learn strategies for embedding threat modeling in your organization, developing threat modeling champions, and teaching the practice. Explore how to adapt methodologies like STRIDE and ASVS, focus on mitigations, adopt the right tool sets, and perform quality checks on threat models.

Introduction
Agenda
The Challenge
The Threat Modeling Manifesto
What is Threat Modeling
Threat Modeling for Everyone
Why Did We Put This Together
The Four Key Questions
Benefits of Threat Modeling
Using the Manifesto
People in Collaboration
Journey of Understanding
iterative approach
threat modeling
the 30 minute rule
the principles
outcomes are meaningful
antipatterns
positive patterns
useful toolkit
choosing a solid process
embed threat modeling
threat modeling champions
teaching threat modeling
embracing stride
adapt with ASVS methodology
focus on mitigations
adopt the right tool sets
threat model quality checks
summary