Insights from ThreatModCon 2024 Lisbon
I spent a thought-provoking weekend at the inaugural European Threat Modelling Conference in Lisbon. I always find value in connecting with peers and exploring new perspectives.
Keynote: A Holistic Approach to Threat Modeling
The conference started with a great panel with Isabel Barberá, Irene Michlin, Kim Wuyts and Roos Hubrechtsen. This panel reinforced my belief in a holistic, systems-focused approach to threat modelling, where collaboration is critical. The challenge of scaling threat modelling resonated with me, as organisations of all sizes and maturity levels face it.
The panel-style keynote, given by Isabel Barberá, Irene Michlin, Kim Wuyts and Roos Hubrechtsen (left to right).
Inherent Threats
Adam Shostack's insights on inherent threats, those fundamental risks inherent to a system's design or business process, reminded me that many vulnerabilities arise simply because nobody thought to look for them. He emphasised that simple, precise threat models are crucial for identifying these risks early on. Whether it's a banking app that could mistakenly transfer funds or a large language model that might hallucinate, understanding these inherent threats allows us to prioritise mitigations, implement safeguards, or even accept certain risks consciously.
Adam Shostack’s session on managing inherent threat.
Threat Modeling and Enterprise Architecture
I was particularly interested in Roos Hubrechtsen's presentation on enterprise security architecture and the benefits of following a layered approach to threat modelling by leveraging patterns and shared knowledge to address this challenge. Collaboration during the design stage is crucial to success.
The emergence of AI in the threat landscape sparked insightful conversations. The focus on AI security and responsible AI highlighted the need for proactive measures to ensure vendors and users use these technologies securely.
Threat Modeling and Responsible AI
The PLOT4.ai project, showcased by Isabel Barberá, highlights the value of threat modelling practices and the power of combining them with gamified experiences. It demonstrates the collaborative spirit needed in the threat modelling community, where vendors, practitioners, and communities can work together to address complex challenges.
Developer Engagement
Jonathan Marcil provided valuable insights into how we can better support developers in adopting this practice through education, tools, and a culture of collaboration.
Final Thoughts
I leave the conference thinking about the diverse perspectives and approaches within the threat modelling community. While tools and techniques are important, the human element remains central to success.
Conferences like ThreatModCon24Lisbon are vital in fostering knowledge exchange and collaboration, driving the field forward.
Thanks to Threat Modeling Connect and everyone who contributed to the event. I hope to see you all again in the next ThreatModCon in San Francisco on the 27th and 28th of September.
Keep threat modelling!