Member Spotlight

Joshua Holmes

2023 Hackathon Leader

Joshua Holmes, a DevSecOps security expert based in Germany, entered the world of threat modeling three years ago and now takes a leading role in running the Threat Modeling program for an international telecommunication company. He took the opportunity of the hackathon to reconnect with colleagues he had worked with in the past. During our virtual interview, we discussed what brought him to join the hackathon, how he, as a team captain, brought the team together, the roadblocks they faced and how they overcame them. We found the key takeaways he shared not only make a successful hackathon team but underpin a robust threat modeling program.

What’s your role, and where are you based?

I’m a DevSecOps Security Expert based in Munich, Germany.
When and how did you begin your threat modeling journey?

First threat model ever done was 3 years ago utilizing a small Excel sheet we had quickly put together, it came as a request from the risk team to look further into the architecture of an application that risk had recently been raised against. However, it wasn’t until a year ago that Threat Modeling became more of a day-to-day exercise as the need for threat model became greater and greater, and the results of said threat models were appreciated.
Share your hackathon experience with us

What drew you to participate in the Spring 2023 hackathon?

I was curious to see how other people/ teams would Threat Model the same case study. Seeing how others approach the same case study and develop different strategies or attack scenarios was of great interest to me. Learning how others do something can help you assess the way you are currently doing it and broaden your view of other methods that you may not have been aware of.

What does your team look like, and how did you work together?

We had all worked together in the past on different projects, some team members I had not spoken to in quite some time as they had moved to different companies; however, I reached out to them on LinkedIn and knew they would most likely be interested. From there we started having team meetings to bring everyone up to speed, and it just took off. There was good energy in the team, and each individual had a different task that they wanted to tackle. Some members wanted to draw out the architecture others wanted to build attack trees. Each member brought their skill set into the team and contributed in their area of strength.

(My teammates: Michael H@michaelh, Jan @jpschmitz, Michael B @Michael Bernhardt, Wilhelm @biyahis42, Benjamin @part10, Simona @Simona)    

Michael H and Jan
Michael Bernhardt
Wilhe
Benjamin

What was the biggest challenge your team faced? How did you overcome it?

The time requirement snuck up on us. Between work and regular day-to-day tasks, we did not sync too much the first week, and then when realizing that the case study was a bit more complex than originally anticipated we ramped up the meetings the last week. It would have been beneficial to have been able to spend some more time on the attack trees. We spent a lot of time on the diagram and discussing “what can go wrong” or if this area of the diagram made sense. In the end, we rushed the attack trees and retro.
Going from here

What are your top 3 takeaways about threat modeling from this hackathon?

  • Don’t get too hung up on all the different things that can go wrong, take the top 2-3 and focus on those, build good attack trees and understand the issue and how to remediate it.
  • Planning is key, set a pace stick to it, and don’t underestimate how complex a system can get.
  • Find a platform that works for collaboration. We tried different platforms we tried Miro, teams, and google drive. In the end, just having good meetings to sync on topics and share screens to go through areas was the best approach. We emailed content back and forth and had lots of small discussions via chat.

What do you plan to threat model next?

At our company, there are many applications that will need Threat Modeling so the pool of threat models is plentiful.

About Community Spotlight
In this blog series, we’re featuring star members of our community - up and coming threat modeling practitioners, top contributors of Threat Modeling Connect, best-in-class threat modeling experts - and their threat modeling stories. Email hello@threatmodelingconnect.com with your story for an opportunity to be featured!