با برنامه Player FM !
پادکست هایی که ارزش شنیدن دارند
حمایت شده
Threat Modeling With Good Questions and Without Checklists - Farshad Abasi - ASW #335
Manage episode 489221591 series 2794676
What makes a threat modeling process effective? Do you need a long list of threat actors? Do you need a long list of terms? What about a short list like STRIDE? Has an effective process ever come out of a list? Farshad Abasi joins our discussion as we explain why the answer to most of those questions is No and describe the kinds of approaches that are more conducive to useful threat models.
Resources:
- https://www.eurekadevsecops.com/agile-devops-and-the-threat-modeling-disconnect-bridging-the-gap-with-developer-insights/
- https://www.threatmodelingmanifesto.org
- https://kellyshortridge.com/blog/posts/security-decision-trees-with-graphviz/
In the news, learning from outage postmortems, an EchoLeak image speaks a 1,000 words from Microsoft 365 Copilot, TokenBreak attack targets tokenizing techniques, Google's layered strategy against prompt injection looks like a lot like defending against XSS, learning about code security from CodeAuditor CTF, and more!
Show Notes: https://securityweekly.com/asw-335
666 قسمت
Manage episode 489221591 series 2794676
What makes a threat modeling process effective? Do you need a long list of threat actors? Do you need a long list of terms? What about a short list like STRIDE? Has an effective process ever come out of a list? Farshad Abasi joins our discussion as we explain why the answer to most of those questions is No and describe the kinds of approaches that are more conducive to useful threat models.
Resources:
- https://www.eurekadevsecops.com/agile-devops-and-the-threat-modeling-disconnect-bridging-the-gap-with-developer-insights/
- https://www.threatmodelingmanifesto.org
- https://kellyshortridge.com/blog/posts/security-decision-trees-with-graphviz/
In the news, learning from outage postmortems, an EchoLeak image speaks a 1,000 words from Microsoft 365 Copilot, TokenBreak attack targets tokenizing techniques, Google's layered strategy against prompt injection looks like a lot like defending against XSS, learning about code security from CodeAuditor CTF, and more!
Show Notes: https://securityweekly.com/asw-335
666 قسمت
همه قسمت ها
×
1 Getting Started with Security Basics on the Way to Finding a Specialization - ASW #339 1:07:50

1 Checking in on the State of Appsec in 2025 - Sandy Carielli, Janet Worthington - ASW #338 1:07:15

1 How Fuzzing Barcodes Raises the Bar for Secure Code - Artur Cygan - ASW #336 1:01:18

1 Threat Modeling With Good Questions and Without Checklists - Farshad Abasi - ASW #335 1:08:00

1 Bringing CISA's Secure by Design Principles to OT Systems - Matthew Rogers - ASW #334 1:09:09

1 AI in AppSec: Agentic Tools, Vibe Coding Risks & Securing Non-Human Identities - Mo Aboul-Magd, Brian Fox, Mark Lambert, Shahar Man - ASW #332 1:04:35

1 Appsec News & Interviews from RSAC on Identity and AI - Charlotte Wylie, Rami Saas - ASW #331 1:01:48

1 Secure Code Reviews, LLM Coding Assistants, and Trusting Code - Rey Bango, Karim Toubba, Gal Elbaz - ASW #330 1:09:38

1 AI Era, New Risks: How Data-Centric Security Reduces Emerging AppSec Threats - Idan Plotnik, Vishal Gupta - ASW #329 1:03:03

1 Managing Secrets - Vlad Matsiiako - ASW #327 1:03:03

1 More WAFs in Blocking Mode and More Security Headaches from LLMs - Sandy Carielli, Janet Worthington - ASW #326 1:14:45

1 In Search of Secure Design - ASW #325 1:07:36
به Player FM خوش آمدید!
Player FM در سراسر وب را برای یافتن پادکست های با کیفیت اسکن می کند تا همین الان لذت ببرید. این بهترین برنامه ی پادکست است که در اندروید، آیفون و وب کار می کند. ثبت نام کنید تا اشتراک های شما در بین دستگاه های مختلف همگام سازی شود.