What We Discuss with Jeevan Singh:
- 00:00 Intro Music
- 01:39 https://snyk.io/csp
- 01:55 Ashish’s Intro to the Episode
- 03:05 Jeevan’s Professional Background
- 05:01 What is Threat Modelling in 2022
- 06:21 Flicking the Threat Modelling switch
- 07:34 Common AppSec Mistake
- 10:50 Why is Threat Modelling important?
- 12:47 Data Flow Analysis/Arch diagram and Threat Modelling
- 14:13 Where does this fit in CI/CD?
- 15:48 Security Teams going on vacation made possible
- 17:04 Impact of teaching developers how to run Threat Model
- 18:03 First time running Observe Phase of Threat Modelling with Developers
- 18:42 Developers are better at Threat Model than Security
- 20:44 Level of programming expertise for Threat Modelling
- 23:11 Fixing Threats vs Finding relevant controls for the threat
- 23:44 Bad example of role of Threat Modelling in Business
- 25:24 Should Threat Model be done in Dev?
- 26:38 Example of Threat Model for an App hosted in Cloud?
- 29:13 Threat Model Skeleton for Cloud Native Apps
- 32:05 Does complexity increase with multi-cloud/hybrid environments?
- 34:20 What’s involved in rolling a Threat model program in an organisation?
- 38:19 Who is the minimum representation in Threat modelling session?
- 40:23 Advice for folks who are starting threat modelling today in their organization
- 43:52 Cultural Change required for Threat Modelling
- 45:12 Example of getting Management agreement
- 46:52 Jeevan’s talk – BSides SF 2022
- 47:21 Time-boxing Threat Model Sessions
- 50:14 Maintaining Quality of Risk identified during threat modelling
- 52:14 Keeping developers updated on latest security vulnerabilities
- 56:01 Jeevan’s Favourite Threat Model Type
- 57:03 Where can people learn threat modelling?
- 58:13 Fun Section
THANKS, Jeevan Singh!
If you enjoyed this session with Jeevan Singh, let him know by clicking on the link below and sending him a quick shout out at Linkedin:
And if you want us to answer your questions on one of our upcoming weekly Feedback Friday episodes, drop us a line at firstname.lastname@example.org.