Recap: ThreatModCon 2024 Lisbon

That’s a wrap for the first-ever #ThreatModCon in Europe – another fully SOLD-OUT venue following the first ThreatModCon in the U.S. last year.

Kudos to our amazing speakers, incredible sponsors, and most importantly, our #ThreatModelingConnect community for joining us for two days of immersive threat modeling discussions! While we appreciate our Zoom meetings, there's something magical about enjoying the Lisbon sunset on a boat trip together, learning, collaborating, problem-solving, and threat modeling alongside leading experts.

Here are some highlights of the event, including a summary of the 10 sessions of the conference broken down by six themes.

Sunset Cruise Reception

Our two-day conference, held on June 28-29 in Lisbon, Portugal, kicked off with a sunset cruise along the Tagus River. The weather could have been better, but it didn't seem to bother us – the atmosphere was super vibrant and the excitement palpable. Meeting each other, some for the first time ever and others for the first time in person, was enhanced by great food, an open bar, a fantastic DJ, and the stunning backdrop of Lisbon.

Opening and Keynote

The conference officially began with Sebastien Deleersnyder, our conference committee chair, who spearheaded the development of the conference program alongside a group of leading threat modeling experts: Brook Schoenfield, Chris Ramirez, Irene Michlin, Izar Tarandach, Matthew Coles, Sean Glencross, Sandy Blackwell, and Zoe Braiterman.

Then came the highly anticipated keynote—or rather, the not-a-keynote keynote—an innovative ThreatModCon tradition introduced by Matt Coles. This year, we were privileged to have Irene Michlin, Kim Wuyts, Roos Hubrechtsen, and Isabel Barberá, leading voices in security and privacy threat modeling, lead the interactive keynote. They discussed topics such as balancing craft and science in threat modeling, integrating threat modeling into business discussions, measuring the efficacy of threat modeling initiatives, and the communication skills required for effective threat modeling. The live audience interaction made this session particularly engaging.

Theme 1: Advanced Threat Modeling Techniques

This year, the focus shifted from the “why” of threat modeling to the “how.” Adam Shostack's talk on “Inherent Threats and How to Manage Them” provided strategies for managing threats inherent to the very nature or purpose of a system.

James Rabe’s “Are We There Yet? Defining Doing, Done, and Deliverables” addressed the crucial distinctions within the threat modeling process, offering a comprehensive framework to enhance its efficacy and efficiency.

Roos Hubrechtsen’s “Layered Threat Modeling: An Enterprise Architecture Approach” introduced a methodology for identifying architectural threats on enterprise architecture models in the ArchiMate language.

Theme 2: Threat Modeling and DevSecOps

Mohamed AboElKheir’s workshop, “Using Threat Modeling to Create a Robust DevSecOps Plan,” introduced a framework that uses threat models as a guide for creating a security plan. This plan helps select, implement, and configure the right security tools to address mitigations identified in the threat model, embedding these tools seamlessly into the SDLC.

Theme 3: Scalable Threat Modeling

Starting from no threat modeling to some threat modeling is a huge step forward. Yet scaling threat modeling practices presents unique challenges. Nick Vinson’s talk, “Frontloading Security: Snyk's Approach to Scalable Threat Modeling,” introduced a framework built by his team that incorporates threat modeling as a continuous DevSecOps practice, allowing teams to threat model effectively at speed and scale.

Theme 4: Developer Engagement

Jonathan Marcil’s “Threat Modeling for Developers” explored how to engage developers in threat modeling. By using Threat Modeling Capabilities as a storytelling tool, he demonstrated how developers can see the value of threat modeling and how it can be applied in both small and large organizations from their perspective.

Frank Simorjay’s “Threat Modeling Peer Review Program” unveiled Microsoft’s approach to peer review program in threat modeling, sharing milestones from basic introductions to advanced concepts, and highlighting how the program significantly improved code quality.

Theme 5: Threat Modeling and Community

Expanding from his talk at ThreatModCon 2023, Dr. Michael Loadenthal delves into how technical threat modeling enhances security assessments in human-organizational contexts in his session at ThreatModCon 2024 Lisbon “Expanding the Toolset: Taking Threat Modeling Offline for IRL Human Application.” Exploring bidirectional influence between technical and non-technical realms, he showed how to use data flow diagrams to map human networks and leverage socio-political, economic, and legal factors to prioritize mitigation, fostering proactive harm reduction.

Theme 6: AI Threat Modeling and Privacy

With the rise of AI, ethical concerns and risks have become more prominent. Isabel Barberá’s workshop on “AI Threat Modeling With PLOT4ai” introduced a holistic approach to identifying risks in AI systems. Using the PLOT4ai card games, participants identified risks during the design phase of real-life AI use cases.

Venue and food

Held in one of Lisbon's trendiest riverside restaurants, the conference featured stunning views and incredible food. With rooms surrounded by large windows overlooking the Tagus River, coffee breaks and lunches of delicate Mediterranean cuisine were enjoyed on a beautiful terrace. Plenty of lounge spaces, both indoor and outdoor, facilitated networking.

We ♥️ Our Community

Seeing each other face to face was special, especially after numerous Zoom meetings. Hackathon teams met their mentors and judges, and we met an OWASP Japan leader whose threat modeling workshops are going viral. Many of our community members also stepped in to support the event, from working at the reception desk to moderating the talks and assisting speakers and sponsors.

Thanks to Our Sponsors

We owe a huge thanks to our sponsors: IriusRisk, Toreon, ArmorCode, and Shostack Associates. Their generous support made this incredible experience possible, fostering learning, collaboration, and networking. Their top-notch technologies, services, and their investment in building a threat modeling community were pivotal in moving our industry forward.