← Back to webinars

The State Of Threat Modeling with Chris Romeo & the Devici Advisory Board

Five of the leading threat model thought-leaders to discuss the current and future state of threat modeling supporting security and privacy by design initiatives. This lively discussion will include:

  • The emerging role of threat modeling in security and privacy policies.

  • The need for threat modeling education

  • The future of threat modeling and the tools that will support it.

Speakers

  • Chris Romeo, CEO, Devici

  • Dr. Kim Wuyts, Cyber & Privacy Manager  

  • Izar Tarandach, Senior Principal Security Architect 

  • Matt Coles, Threat Modeling Author

  • Sara-Jane Madden, Global Direct of Cyber Defense

Transcript

Chris Romeo  00:00 

Here we go. We are live. And welcome, folks. My name is Chris Romeo. I'm the CEO of Devici. And I want to invite you, or not invite you, you're already here. I want to welcome you to this, this first ever Technical Advisory Board Webinar that we're doing on the concept of threat modeling. So, as a way to start out, I want to invite each of our esteemed panelists to introduce themselves. A lot of these folks that you see on the screen right now. Everybody on this screen is quite famous in the world of threat modeling, so, but for those that might not be as deep into the world of threat modeling, Kim, why don't you go ahead and kick us off with it with an intro. 

Dr. Kim Wuyts  00:44 

Hi, I'm Kim Wuyts. I'm currently a Manager of Cyber & Privacy at PwC in Belgium, and before that, I was a researcher at university in the Leuven. And there I designed the privacy threat modeling framework called LINDDUN. 

Chris Romeo  00:59 

Okay, thank you, Kim. I'm just going to highlight that for those people that might not have been 100% paying attention. Yes, Kim is one of the people I think of as the person in privacy threat modeling in the world. And she's gonna try to play it off. But she is the really the gigantic brain behind privacy threat modeling. And really the reason we have LINDDUN as a methodology. So Sarah-Jane, coming to you next. 

Sarah-Jane Madden  01:29 

Alright, yeah, I'm Sarah-Jane Madden, and I do not work for a security company. Where I come to this is I work with real security teams, and real development teams in technology firm of a Fortune 500. And sort of boots on the ground actually implementing the types of things we talk about today. So I've been on the threat modeling journey for quite a number of years, I've seen it grow. And I have some observations. 

Chris Romeo  01:57 

Excellent. And I can say I was introduced to you, Sarah-Jane, at OWASP, Dublin, where you did a talk about threat modeling that Izar and I were both in the audience for, and we were sitting, we were both kind of sitting there looking at each other going. She gets this in a whole different way than anybody else has - I've ever seen anybody else express it. So that's what kind of kicked off and then I invited you to join me on the AppSec podcast. Because I wanted to hear the story. I'm like, I want to hear more about this. So yeah, that was how I was introduced to you. And I was just blown away by the content and the topic of that talk was just incredible. So all right. Some other of the recognizable subjects. We'll go to Matt first, because he's smiling. 

Matt Coles  02:40 

Is that the only reason? 

Izar Tarandach  02:41 

Yeah, I told you to never smile.  

Matt Coles  02:44 

Yeah, I'm a security person. Why would I smile? So I'm Matt Coles. I'm a product and application security engineer at a large tech firm, both a producer and consumer of components and systems. And I've been doing product security for 20, something close to 20 years now, been involved in threat modeling for at least the past 10 I'd say, had an opportunity to co-author a book on threat modeling with with Izar over here. And along with everyone else here part of the Threat Modeling Manifesto group. If you may, you may recognize the Threat Modeling Manifesto and the capabilities we recently released. 

Chris Romeo  03:28 

Thanks, Matt. And that is the de facto for me - the go to book I literally have a copy of it right here. The book that they're talking about that they wrote. So that's the one that, I keep it right on my desk. But yeah, I think of that book that Matt and Izar wrote as the book that I recommend to people right now. I think it's the most up to date, understanding the depth and breadth of threat modeling. So Izar, tell us who you are. 

Izar Tarandach  03:56 

Oh, if I only knew. So my name is Izar Tarandach, and I do threat modeling things. I do security stuff, but I've been around, I guess, like, yeah. 

Chris Romeo  04:11 

That's an introduction. That would meet the definition of introduction.  

Matt Coles  04:21 

That was a short introduction of Izar.  

Izar Tarandach  04:23 

No, I mean, like, okay, there's ITM, so there's the book, so there's the manifesto, there is threat modeling that we all participate in somehow and keep pushing forward. And I think that I mainly do threat modeling things.  

Chris Romeo  04:39 

That's a good way to describe it. It could be Izar's famous for his T shirt collection. So that could be a t shirt in the future. "I do Threat Modeling things."  

Izar Tarandach  04:48 

I like big threat models, and I cannot lie. 

Chris Romeo  04:50 

I'm gonna let that one - I'm gonna leave that one alone.  

 Matt Coles  04:53 

It's a family show. This is a family show. 

 Chris Romeo  04:55 

You're encouraging me to continue the lyrics all the way through, and so this is partially why the Devici Technical Advisory Board is so much fun because as you're seeing, these are fun people. And we don't take ourselves too seriously as well. We like to have fun. Yes, we like threat modeling. But we also like to have fun and joke around as well. So I want to encourage our audience, anybody that's listening in right now, you can feel free to add a question, if you want to put a question out to the panel here, you have the ability as a comment under under this live stream that you're watching on LinkedIn. If you do that, I'm watching them. And I will potentially, depending on what it says, I may provide it to the panel, I will be kind of checking those out as we go. But we also have the ability to interact with those. But I wanted to start out by setting the stage what do we see is the current state of threat modeling right now. And Sarah-Jane, I'm gonna come to you first because I know that everybody that's represented, the panel here is coming from different perspectives, you're kind of in the trenches where people are doing this, Kim's advising people on on how to do this from kind of a consulting perspective. Matt, and Izar are both in the trenches as well. But Sarah-Jane, from your perspective, like when you think about the state of threat modeling, where do you think we are? 

 Sarah-Jane Madden  06:13 

I think we're somewhere around puberty, to be honest with you with threat modeling. So I've seen it come a long way from Oh, it's an idea. And it's developed to a good idea to now there's, you know, various legislation, like the U.S. executive order that came out about, you know, the state of the cyber nation, and it's basically being mandated now, people are starting to sit up and go, "Okay, we really need to understand that." But the reason I say it's like puberty is it's developing, it's non-homogenous, it's been done different ways in different places. And we've now accepted that it's something that should grow. But different teams are very different points along their journey. And you see that when you go out, you talk with people in the industry. And some people from big tech, are way behind, but are at an earlier stage of their journey and their understanding of it. I think that's one of the things I often find is, an even people look back at some of my talks, I say, everybody knows how to threat model kind of intrinsically. But then when you when you ask somebody, what is it, they can get a little bit confused. And I think that's we're growing, we're seeing improvement there. And now that people have to do it, you know, \rather than just do it, because it's a good idea. And people are more interested in, you know, getting this practice down. And we're on the cusp of that now, I think of kind of it's I'm not saying well gotta do everything the same way. Absolutely not. It's there's an element of creativity to it. But I'm starting to stack hands and align on, you know, good processes, and what is threat modeling versus risk assessment, etc. 

 Chris Romeo  08:09 

Kim from the privacy side of the world, what do you see as a state of threat modeling? Do you think privacy threat modeling is in the same place as security threat modeling? Or where do you see that today? 

 Dr. Kim Wuyts  08:23 

Yes, and no, because I think the foundation of privacy threat modeling is the same as security threat modeling. So privacy threat modeling has the luxury to kind of serve on the flow of the maturity of security threat modeling. That doesn't mean that it has the same type of adoption yet. I think we're approaching that. But I see more and more companies SMEs, but also big tech, really embracing privacy threat modeling as well. And it's also reflected in like guidelines and standards. I was just checking like, the EDPB. So that's the European Data Protection Board who provides guidelines on for, for instance, how to understand and apply GDPR explicitly mentions threat modeling as a way to tackle privacy by design or data protection by design. Lots of ISO standards on privacy by design, privacy engineering, also explicitly mentioned "Well, you should do threat modeling to thoroughly implement privacy by design." So there's those standards and guidelines that are kind of forcing people to embrace that. And as I said, we have the luxury to use that maturity that, or puberty, that we have from security threat modeling. 

 Sarah-Jane Madden  09:39 

It's an awkward time.  

 Sarah-Jane Madden  09:40 

Yeah, we're figuring everything out finding ourselves. Yeah.  

 Chris Romeo  09:44 

I'm almost thinking about like a sticker – Threat Modeling Puberty. It could be pretty funny for a laptop sticker. Matt, please enlighten us on what you see right now from your viewpoint as the state of threat modeling. Yep, I think you're muted. 

 Matt Coles  10:10 

Wow, technology at its best. All right. Basic things, pressing buttons. So I was saying I don't know that I agree with it that it's at puberty. I think we've had a some some steps forward, and then some steps back. And people are regrouping on this activity. So I think we have, there's a lot of experience in certain spaces, right? Government agencies, especially because NIST was a big proponent of this. They called it risk management and other things and then you had safety, doing hazard analysis. And then you had this thing that came out of software development called threat modeling, of course, which Microsoft and others have driven over the years. And there's been a strong showing lots of different methodologies as Sarah-Jane and Kim have mentioned. And so I think it's moved well beyond this puberty stage. And it's sort of in the terrible twos, or maybe early teenage years, where they're starting to figure it out themselves. And I'm horrible with kid analogies, so excuse me if I completely screwed that up. 

 Matt Coles  11:24 

So, yeah, I guess where I'm going with that is the methods, so first off, we've we've sort of moved beyond just doing this by hand, although I will say that people get a lot of value out of doing it by hand. But there are other methods now. Right? And there's very in-depth methods, something like, you know, like PASTA, which is this very well defined risk based approach. And then you have the four question framework, which tries to take it back to its basics, right, and making it a bit more freeform and a little bit less structured. And, that's getting a lot of traction. But but there's no so consolidation. It is appearing in more standards, right, it shows up in the CISA, secure by design secure by default, it shows up in the SSDF, it's shown up in automotive security standards over the years. One automotive security standard, if I remember correctly, had two types of threat modeling, it was supposed to do a combination of VAST and PASTA effectively. So there's some, I think there's some confusion about what threat modeling is what its purpose is still. And now we have new tools, of course, that are coming available, right? There's there's the basics of JAR model and do some basic analysis all the way up through to some tooling and automation, of course, that we definitely will be talking about, I'm sure a little bit later. And now with AI, things are going to change even more. So I think we're beyond the initial bump of what is threat modeling. Now we're trying to not get confused with some other things like threat intelligence, and observability. And some other topics that are trying to come into the fold. I will say for privacy standpoint. Also, since I'm now learning a bit about about privacy threat modeling, I wonder if we're going to run into challenges of who gets involved, right? Security threat modeling versus privacy threat modeling is a different group of people who are involved. And it's a different way of looking at a system between the two. So it'll be exciting. And I hope we can do a good job with it. I'm sure Kim will give us a lot of good direction and guidance on how to make that work. So yeah, I'll stop there. 

 Chris Romeo  14:03 

We're all one big threat modeling gang at the end of the day. Security and privacy together. 

 Matt Coles  14:09 

With our brick walls behind us. We got West Side Story going. 

 Chris Romeo  14:14 

It's true. I don't know if you're a Jet, or... I don't remember what the other one was, but Izar you've been reserved and quiet here. What do you see is the state of threat modeling. 

 Izar Tarandach  14:24 

After this three, I think that the only thing that I can say is, Yeah, sure. But actually, I'm going to take a different timeline here. And rather than going through terrible twos and puberty, which was basically terrible too, I'm going to take that quote of how is it that it goes "First they ignore you, then they laugh at you, then they fight you, and then you win." And I think that right now we are in the stage of they fight you and going into your win, where I will define the win as bringing them to our side. Meaning, people will fight you still today. "Why do I have to do this stuff?" And between all the tools and all the great stuff that Matt quoted, and the approach that Sarah-Jane put forward, and the privacy stuff that we learned from Kim, I think that we are very close to bringing a critical mass of people to our side, where they recognize that it's not only something that they need to do, because of the many standards and requirements and all that kind of stuff, but it's actually healthy to do, it's actually part of a healthy SDLC. And that the benefits that you get, at the end of the day, improve your system and your products, and your deployments and all that good stuff. So I think that we are starting to see threat modeling not only recognized for what it is, but also there's a lot of eyes in what it could be by unifying a lot of the different activities that we do in SDLC. And bringing them under one umbrella that sort of like looks and everything and offers inputs to a lot of stuff gets outputs from that stuff and by it betters itself. So it really becomes rather than that first bubble in the SDLC, that says ideation, design, and threat modeling, it becomes embedded in all the other activities and embeds those other activities in itself. So that's where I think that we're going.  

 Chris Romeo  16:35 

So, I like both of these analogies, too. By the way, I like the puberty analogy. And the, you know, "First they ignore you, then they laugh at you, then they fight you and then you win." I like both of these analogies. But it just makes me think like, a lot of people that are trying to push threat modeling inside of large companies or big companies. What do y'all see is the, what's the pushback that people are giving right now? Like, if an abstract team is like, "Hey, threat modeling is important. We want everybody to do it. CISO has blessed this idea of threat modeling." What's the responses that we're still hearing right now? Because like I grew up in security a long time ago, when people would just be like, "No, we're not gonna do that." And there was nothing we could do about it. Like we had to try to convince them and but what are you seeing? I'm gonna start with Sarah-Jane, just because back to the top of the order here, but what are you seeing as far as how people are pushing back today? 

 Sarah-Jane Madden  17:38 

Alright, so everybody can have a more refined answer as we go each time. That's what you're doing here, Chris. And no, look, it's fair call. And I kind of celebrate what Izar is saying is that we're in the fight stage. Because that's, that's an advancement, whereas previously, you were going into the room with product managers or whatever, and they're going, "What are you talking about?" Now? It's just "I know what you're talking about, but I'm going to push back on it." That's progress, you know? And that really is progress. And look, I don't want to rely on regulation, whatever, I'd like to think that people do things for the right reasons. That's not necessarily even commercially viable at times. So I think, you know, we're standing on the shoulders of giants as regards the SDLC. You know, and security practices that have come in over the years things that, you know, I don't think we're all too young to remember when code just went straight from compiled to out the door a long, long time ago, you know, and talk about QA cycles and DevOps. What are you talking about, and that was still, that was producing product. And now we've inserted all these practices for very good reasons. And we are essentially been perceived, as you know, when we talk about threat modeling, putting in another practice, I was like, "Well, I was producing a product up until you opened your mouth, and now I have to do something else before I can actually release." So you have to prove the value. And we come up against a classic security challenge there. You're trying to prove the value of something that hasn't happened. Okay. Well, we we've had this all along. So whatever method works for your organization, I suggest you follow it. So however you convince people to patch vulnerabilities, even though, "There's nobody getting at my machine." etc. However you convince them to, you know, not store passwords in plain text because nobody's good. It's the same thing. You know, where we are trying to prove, when you have that stubborn kind of objection. It's normally coming from intelligent people who are under time pressure. You know, I've not come across too many people who just don't get it and don't get the value. I think it's just, it's a case of it's another thing between me and getting product out the door and getting back to the next release, even though I don't suggest that it's sequential like that. You know, it's another practice run. If you can't get it, I would suggest as well ask people to, bury your pride, ask them to indulge you, give it a go. And it sort of proves itself, trying to prove it on paper can be quite difficult. And that's what people are looking for is tangible value from it before they proceed, because developer time is expensive, basically. 

 Chris Romeo  20:28 

Yeah. And that's uh, I want to show you a comment that we've had come in that the pushback is simple how to measure the impact of TM on the resulting IT systems that are being developed? And so I think, Sarah-Jane, I think that's 

Sarah-Jane Madden  20:44 

Essentially, yeah. 

Chris Romeo  20:46 

Yeah, it fits with where you were going as far as your conclusion, right? It's not that people are saying they're not going to do it, and Andre just had another good comment, I'll show you here about, you know, business doesn't care about I feel but actual quantification with numbers. And so, and I think that's an area where we, as security teams, and security people haven't always had the data to backup our conclusions. We've had the charter and the flag that we carry, we will come into a meeting, and we're waving the flag of security and privacy. But we haven't always had the numbers. And so I think that's an important point to think about is how do you prove to the business that this really does add value? You know, when you when you have something that the age-old challenge of how do you prove a negative? We've been dealing with it for 30 years. 

Matt Coles  21:38 

Can I jump in on that? 

Chris Romeo  21:39 

Please? Please go? Yeah. 

Matt Coles  21:41 

I think it's really important for Andre's question, right? Because this comes down to, and I'm curious how others have solved this. Threat modeling is all about risk and issue avoidance, right? It is not necessarily about discovery, it is not necessarily about remediation. It's about avoidance. And so to your point about proving a negative, how do you rate the value of threat modeling, where you don't have issues at the end, because you've done the activity first, and you've avoided them in the system design as you move forward through the lifecycle. 

Izar Tarandach  22:18 

And to jump onto that, I think that the quantification is important. Sure, if we usually use those numbers to allocate money and resources, time into things that we do, and that we don't. But if we look at threat modeling at its basest, simplest, most idealistic form, which is something that should happen right after design. Let's for a second, forget all the agile and all that stuff. But if you look at it as something that happens at design, the question here is not "How can you measure this?" The question here is, "Are you doing the right thing?" Because if you do design, and you don't take the time to answer those four questions: "What are you building? What could go wrong? What can you do about it?" Let's leave "Did you do a good job?" for a second on the side. But if you don't answer those questions at your design, there's no quantification in the world that's going to stop you from realizing at some point, "My design is bad, I have to stop putting products out and go back to the drawing board and make that design better." Right? So that's something that you are not going to put into numbers. You're not going to say, "I saved X hours, I saved X dollars, I saved, whatever." That is just the right thing to do. So at that time, threat modeling is almost sanitisation of your design, right? You can not do it and suffer the consequences. Or you can do it and not suffer any consequences, or suffer less. So I want to be careful with the focus on putting numbers on spreadsheets and ending up with some magic. You all know that I am not going to use the word hate but I hate simulations and all that good stuff. You know, at the end of the day, we joke that we are selling insurance but we are not quite because any insurance seller is able to come to you with statistical data that has been amassed through the ages saying "Hey, the chances that a male of a certain age is going to have a heart attack are  X." We don't have that data. We are saying, we are selling you the do the right thing, not the insurance. If you do the right thing, you'll get better results. 

Chris Romeo  24:44 

I'm gonna put my business hat on. I'm gonna let Sarah-Jane, because I saw Sarah-Jane is about to put her business hat on too. 

Sarah-Jane Madden  24:48 

Yeah, so this might sound like quite cynical, but I'm just noting one of Andre's follow on comments and he's in that typical scenario of trying to get business buy in from non-technical people to, as he says, don't feel the value. You can kind of circumvent that initially until you prove your case because it's very hard to quantify. You can't it's hard to propose your charts and graphs, or whatever else. But if you, you know, do forget that they do it for the right thing, try and tie it back to some of these executive orders and nests and all this type of thing that are recommending it, you know, and say, "Well, this is why we have to do it." And the other one that I always peddled particularly to product managers and engineering managers, and I know, that's not quite the business side you're looking at. But when you bring teams back through this, they gain a better understanding of the application they're working on themselves, which, you know, is particularly advantageous in terms of legacy apps. So if you can't sell it on it's the right thing to do. Sometimes selling it on these other factors until people are convinced by the results of the practice itself, and can achieve what you're looking to do by other means. 

Chris Romeo 26:17

Yeah, you've got to find the right vehicle to help solve the problem - the right angle inside of that company. Because at the end of the day, the business people are the ones that are driving where resources and and headcount is being applied. And it's not us as security people, unfortunately. If we ruled the world, what would it look like? Well, you'd have a security team of 1000 and 10 developers, so we could split them. 

Izar Tarandach  26:41 

There is one point where I think that the quantitative and qualitative cross each other, and you could relate to it as feeling, but I think that it does have a quantitative aspect to it. If you ask the developers after threat modeling, "Would you do this again?" And you have a number of them that says, "Yes, I would." Bang, you just prove value. 

Chris Romeo  27:01 

We just created an industry metric, I'm going to call this the Izar Metric of Threat Modeling. It's the human aspect of threat modeling. 

Izar Tarandach  27:11 

But seriously, if you can get people who are really in the beginning totally refractory to the process, or to go into it, and some of them even afraid of it, as we point out in the threat modeling manifesto. And you can get them to look at you and say, You know what, I got value from that I will do it again. 

Chris Romeo  27:32 

Yeah, that's I mean, that's a great, that's a great metric, though, it's a great way to measure human behavior, which we're crossing outside of the technical nature of threat modeling into trying to change culture and get developers to, you know, to perform threat modeling, because they see the value proposition in it as well. Okay, we should change gears let's talk about the role of tools as threat modeling matures. So Matt made comment about this earlier. So Matt, I'm gonna go to you first because you had already kind of started us on this path. And then came I'm curious to get your your take after Matt's and what you see is the role of tools as this threat modeling process matures. So Matt wants you good go first.  

Matt Coles  28:23 

Yeah, I think that tools, like we've brought up in other places, other discussions, is the way that you improve productivity and gain consistency. Right? That's why we do static code analysis using tools, we use network scanners, we do other things using tools, even to the point of doing things like, you know, just when we build a model, we're going to draw a model, just not having it, you know, on a whiteboard. On the whiteboard is valuable, you get that personal interaction, built with the tool, whether you're using it just for building a model, or using it to describe a model, or you're using it to describe a model and then analyze that model looking for threats. Using the tools and assistance to the humans allows the humans to do other more value-add work. And especially if those tools are providing both the modeling side - meaning you can say, "I have object x and it has these properties, and I can describe that in a consistent way." And then when I want to render that model, I can have consistency in its rendering, at least will look for similar, if not the same, for any given input. But then the real power comes in when I can say "Well, now I've given it you know, object A, object B, dataflow Y, and these characteristics" and have it generate threats, you know, have a generate, what can go wrong and tell me how to mitigate those things. The tools can provide that information based on the information of course, that humans are feeding to it with best practices and attack patterns and whatnot. But the tooling allows us to really get a consistency and also to provide a level of understanding and raw knowledge that you would have to communicate as a security engineer to your teams, the tools can sort of encode that and then that means a security expert or the developers can spend time thinking about the bigger problems, right? "Where's this going to fit my lifecycle? Or how do I fix this? How do I get this into a into a backlog? Do I need to re architect and rework the product?" All of these things can then take center stage and not have to worry about, you know, the reporting or even the threat, the threat analysis portion? 

 Chris Romeo  30:41 

And that's one of the things that we're focused on with the Devici is, how do we build a platform that has the best possible threat, engine and threats and mitigations but also helps you run your program? Because that's one of the bigger challenges that people deal with. It's how do we how do we programatize this thing systematize it in such a way that it's a standard thing that developers do versus it's just chaos, which we know what happens when we introduce chaos into a process? It just makes things really challenging for people to be successful? 

Matt Coles  31:14 

Before Kim jumps in, I just want to respond to the comment that, that? I think it's Araguay, if I pronounce your name correctly, hopefully that, yes, what tooling also can help is reduce the barrier to entry. Right? And so, again, it frees up the human for doing value add work. And, you know, if you free them up from the drudgery of jarring, some people find it drudgery - I actually really enjoy it, then you literally could also help with collaboration, depending on which tool you choose. And so that can help by automating parts of that process. And we talked about this in the Threat Modeling Manifesto. By automating part of that process, you can make it more approachable as an activity. Sorry, Kim, I knew you were next, but I didn't want to leave that one dangling. 

Dr. Kim Wuyts  32:04 

Yeah, no, I agree. Basically, my answer is what Matt said. Yeah, so I think if you're aiming for a very structured, systematic way to tackle STRIDE, or LINDDUN or whatever approach you're going for, it's really hard to do that manually, because, well, it takes so much time and effort to write it down and to go over all of that. And it's such a repetitive job. And I think their tooling can help, but, well, there are some tools that just throw hundreds and hundreds of threats in your face and are not really helping. So I think we're looking for this – as Matt said – this assistance, more than that will still allow you as as a person to have some creativity, but it guides you in that process. It gives you the structure you need to get started to know whether you have like, well completeness is hard to say in threat modeling with at least to have some kind of confidence that you tackled all the things that you have included all the elements. So, I think that's where we're now we're tools can actually help and assist you not fully automated, necessarily, but assist you in in taking the heavy burden from your shoulders and making that part easier. 

Chris Romeo  33:26 

Yeah, and that's, something that we're focused on at Devici. I know, we're gonna get into the AI question here. Because I know that's going to be a burning question that a lot of people are thinking about. But our strategy with using AI with features at Devici is how do we how do we infuse AI in such a way that it makes the experience more simple, it provides you with better insight? But does it result in you talking to a chatbot, in the corner, which is what is the way a lot of people are approaching AI knows "Oh, we do AI see the little chat bot in the corner, you just click it and you ask it questions." That doesn't help me in the in the midst of thinking through a threat model. I need I need AI to give me better insight based on large language models at particular times in the equation. Izar, I think you were gonna say something –  you were trying to get my attention. Oh, I think you're on mute, though. So I can't I can interpret what you're saying, but... 

Izar Tarandach  34:26 

If it's not Matt, it's me. And by the way, sorry, I was on a delay before because I have the LinkedIn open to you. But anyway. So just to add to what Matt and Kim were saying. I think that one important aspect of tooling here is to get off the collaboration and together with overcoming the being overwhelmed by stuff is that a lot of tools are not only threat modeling tools but other security tools as well. They have this horrible habit of saying, "You're using us so you're going to work in a certain way." And that's one more bump in the road for people have to adopt it. If I as a tool maker and start to dictating to people how they should be working, many of them are going to say, "No, that doesn't work for us" and drop the benefits of the tool together with the bad stuff. And that's one cool thing of being an advisory board of a place like Devici that you can say, "No, you can be opinionated, but you can't tell me how I'm going to do things I want to go the other way around." And to have the ability to work with a tool that lets me go the other way around and still get good results. It's refreshing. At the minimum, it is refreshing. 

Sarah-Jane Madden  35:41 

I feel like I'm the dark to everybody else's high integrity light here, but I'm still gonna make it, I suppose a very practical comment on tooling, is that we are now at that stage in our journey, who are going from doing it for the right reasons to doing it, because we're being told, and the reality is that if you're in, you know, enterprise software, or whatever, at some point, you may be required to prove that you've done threat modeling. In fact, I will say at some point, you will be required to prove it. And I, I absolutely encouraged him some work to to start at the whiteboard to get that feel for it. But you should be capturing that this is where the tools help, you can't point out to an auditor that, you know, back six months ago, he stood to have coffee at the whiteboard, or he can try, but you probably get asked for some follow up questions. Whereas when you have, you know, version controls, in which Devici say, "Here we go, this is what we did. Here's what we found. Here's the dates." It's all done for you. That's excellent. You know that's really, again, it's taking away work that developers and engineers shouldn't have to do in these scenarios. I think that is, you know, a sideline something to the direction we're going. But the reality of where we're going on our tools can be useful. 

Chris Romeo  36:59 

Yeah, definitely. Let's let's broach this future threat modeling and the role of AI. Because it's on everybody's mind right now. I mean, I feel like Izar and Matt and I, on The Security Table have talked this, probably too much. We probably use too many minutes of recording time to talk about it. But that's okay. We can talk about it some more in general, so when we think about the future threat modeling, and the role of AI in that future. Izar, what are you – I know you've been thinking about AI quite a bit, studying it at a depth, much deeper than I so – what are your conclusions? Your initial conclusions you've drawn? 

Izar Tarandach  37:37 

Yeah, at this point, I'm worried that AI is thinking about me. So here's the thing about AI. It's like a good band aid, you know, it's gonna help you if you put it in the right place, and this thing that we have right now that everybody's putting it everywhere. Is it nice? Probably, are we learning something? Is it going to take us somewhere better? Questionable. And I feel like our places a threat modeling practitioners is to point out to people that what today is called AI,  basically LLMs, it is great that organizing the army of monkeys typing in typewriters and waiting for some results to come out. So what you get is a subset of monkeys that basically know what you're talking about. And they're typing very fast. But what you're getting is not novel. It's not original. It's not even though some of them are capable of inference and stuff like that. It's not a given conclusion on the facts that you are representing, it still depends on garbage in garbage out, it still depends on things being explained in a format that the thing can understand. And you will still need to know what you're talking about or what you're getting in order to look at those results and measure the hallucination level of the thing. So again, it's a tool. It's a helper. It's great for some things, it's less great for other things. And I think that if you substitute the word to that for what Kim and Matt and Sarah-Jane said, and he put in instead AI/LLM you could be talking about exactly the same thing, right? It's going to is it going to take it down the down the journey of threat modeling by the hand? I don't think so. Is it going to help you in certain aspects to shine a light on stuff that perhaps you wouldn't by yourself? Probably yes. 

Matt Coles  40:02 

So, can I ask you a question as a follow up to that? 

Izar Tarandach  40:06 

Since we're here?  

Izar Tarandach  40:07 

One of the big challenges we have with tools today. 

 Izar Tarandach  40:10 

The big challenges we have with what? 

 Izar Tarandach  40:12 

With tools today. 

 Izar Tarandach  40:14 

Tools, in general? 

 Matt Coles  40:17 

Let me finish. That threat model tools today often operate - many of the ones that we've seen in industry – often operate on a per element or per interaction basis. And looking at cross elements and cross interaction is really like a big game of chess or Go where there's potentially 1000s, if not hundreds of 1000s, you know, exponential paths to consider. AI has the potential for doing that analysis where humans can't and the tooling that we have limitations on. So there is one aspect I think that AI will be able to help us with eventually, to be able to give us better insights. Right? Do you agree? 

 Izar Tarandach  41:10 

I am going to agree with everything up to the word better. I think it's going to give us a more complete insights because, as you said, the game of chess and the game of Go, I think that less than Go but more in chess, or perhaps the same, but bigger, you have the history of moves that can happen, right. And an algorithm can build that tree and walk the options as the opponent walks there's. And I think that in the case of threat modeling, what's happening here is, all of a sudden, you have this assistant that can look at this huge body of knowledge that you wouldn't have access to. But it's still looking in the rearview mirror, it's still, for all intents and purposes, it's still a threat library just happens to be a much bigger one. 

 Chris Romeo  41:59 

It's not creating anything new, it's not LLMs do not have an original thought where it's like, there's no light bulb over them that goes on like "Ding, ah, an original thought has been..." No, that's not how they work. 

 Matt Coles  42:11 

Filter that out at the prompts. Right? 

 Izar Tarandach  42:14 

Soon in, in a blog post next to you. You have this thing with guardrails, you have this thing with LLMs. And you have this thing with where do we focus now? And where can we focus now because we have this assistance that can look at all the low hanging fruits is developers can focus now on the business logic more - the thing that they are creating themselves, right? Because right now you're not connecting pieces of things that everybody has connected before in some way. And some of those configurations are known to be more secure than others. So we can leave all that stuff to that body of knowledge and ask an LLM, "What's the right way of implementing I don't know, s3 buckets and putting it out there?" Right? And it's happily going to bring you out this list of the threats and the mitigations that everybody knows that it's down to. But then you start with your processes, your business stuff, the things that you are actually creating what's novel, and I'm sorry, no LLM in the world is going to give you good threat modeling on those. That will have to come from you and knowing what you're building. What could go wrong. What can you do about it? And then later on, you can ask yourself, "Did I do a good job?" And do it again. Yeah. 

 Chris Romeo  43:29 

Yeah, I want to hear I want to get Kim and Sarah-Jane's thoughts on AI? Because then we have a great question from somebody in the audience that I want to close out with in a little bit of a lightning round. But Kim, thoughts on AI. 

 Dr. Kim Wuyts  43:42 

Yeah. What they said. I think there's a lot of potential there. I think we're currently to that stage where we need to be careful about what we use, because there's no transparency about what came into the knowledge base sort of say so it throws out stuff, but you actually have no idea to to determine whether it makes sense what they say, Well, they say what the LLM is saying maybe for threat modeling, any threat you can find is fine. So that might not be that big of a problem. But the more you rely on that, well, as Izar and Matt already said you need to still be knowledgeable enough to determine whether it makes sense what the LLM is saying. But there's a lot of potential there. I think the easy stuff will be much more complete to tackle because it's so powerful to capture all of that and give you  those things already and it can guide you through - well it knows a lot of things so it can guide you through the process and ask you some questions to trigger your thinking, but it will not do the thinking for you. So I think it's that assistance as we were talking about the tools before that can be provided, but it will not solve all the problems. 

 Dr. Kim Wuyts  43:56 

Okay. Sarah-Jane, I'm gonna give you the last word on AI. I mean, it won't be the last word in our industry that's ever spoken about AI.  

 Sarah-Jane Madden  45:11 

No pressure. Yeah, okay. Well, I'm gonna use your words, it's the AI-infused. I think that's where the key point is, that's where it can be helpful. And threat modeling has all the same challenges and nuances with AI as whatever other application. And I'll give you an example from very recently, a colleague of mine was asked to do a presentation for you know, exact levels on a technical matter that she's the subject matter expert on by her manager. She was completely overstretched at the time couldn't hit that. And she was very honest, "I literally cannot do it, either I do that or I do this." So her manager said, "How about this, I'm gonna give it a shot, and give it to you to review." So he did that, and very openly using an enterprise AI solution to help him and gave it to her and she went online. It looked beautiful. Okay. And but this particular architectural pattern that it was to talk about, and it had the old version of it. Okay. And this is not a comment about oh, the accuracy and reviewing the accuracy or anything, but then this overstretched colleague, but she was able to come in and go, Okay, one, two, that's fine. But here, let me fix this because her brain was still turned on. And that's both kind of a tale of where AI-infused can help. But also a cautionary tale of not going, I want the tool that just completely does it by AI, and then get your developers to stop thinking, the fact that she's still the SME, it got her off the ground, she did not have time to select teams and put the, you know, titles on pages. It did all that for her. And it got it wrong. But that prompted her. It's funny, it was becoming her prompt engineer. And it prompted her to put the issues right, "Oh, let me fix this." And they got the good quality result. I think we can do that in threat modeling as well. But with that AI-infusion rather than AI-driven, AI-focused, you know, don't take people at threat modeling is too much science meets art to do that.  

 Chris Romeo  45:12 

Yeah, definitely. That's a great way to summarize it. So this is gonna be our final question. And this is going to be a lightning round. And a lightning round means you're gonna have just about 15 seconds, and you can't repeat one that somebody else has already said. So let's see if Sarah-Jane wants to go first this time? Or does she want to be fourth? This time around? She probably wants to be first. But there's a lot of main selling points. So Sarah-Jane. 

 Sarah-Jane Madden  47:45 

What are your main points for software development teams? So this user's asked - so specifically in that context. If you're having trouble selling to them, terrify them. Remind them, bring them back to a 3am bug that they had to fix when their hands were tied because it was already out there. And then ask them how nice would it have been if they discovered that at the design phase? And how different they may have approached it? And then, you know, I don't know, let them have some fresh air and whatever to calm down. 

 Chris Romeo  48:16 

Fresh air is good to provide after that explanation. Kim, how about you? What are the main selling point? 

 Dr. Kim Wuyts  48:23 

Yeah, that was gonna be my answer, damn. Well, I'm gonna go the compliance route then. Secure by design privacy by design, that's like the standards and that's the way you have to do it. And threat modeling is kind of the vehicle that will get you through there. 

 Chris Romeo  48:41 

Okay, so kind of coming from the compliance angle. All right, Matt, how about you? 

Matt Coles  48:48 

Well, yeah, Sarah-Jane took my answer. And Kim had a good second. So I'll go with the "Wouldn't it be nice when you bring in a new software developer to your team that you can quickly get them up to speed? Threat Modeling is a great way to understand your system and to share that knowledge across new and/or revisiting software development team members." 

Chris Romeo  49:11 

Now Izar's had all three of his options taken from him one by one - ripped out of his hands. So Izar, got anything? 

Izar Tarandach  49:20 

If you don't want to make the security panel sad. I don't know.  

Chris Romeo  49:26 

And that's a good selling point, too. We don't want the security panel to be sad. That's definitely true. 

Matt Coles  49:32 

Don't disappoint his art. 

Izar Tarandach  49:33 

But seriously. If you do it, then you're getting confirmation from, as I said before, from the other activities in the SDLC and you're making them stronger. So basically, you are just, if you are already embarked into an SDLC process, you are just making sure that you're getting the most out of it by reinforcing the other activities and having your threat model activity reinforced by the others.  

Chris Romeo  50:00 

Definitely. All right. Well, folks, thank you for listening in. And I just want to let folks know that if you want to take a look at Devici, we're still in the midst of our beta. So you could go to the Devici.com. And you'll see an opportunity there to sign up for the beta. So we're still accepting some additional folks into that beta to test this thing out as we go. But once again, thanks to my advisory team here who keeps me honest and educates me and even makes me laugh from time to time. Thanks for being a part of this team and feel like we really got some good messaging out to the industry as far as where, where we're going and where, you know, where people can go in the future and some things they can apply, things they can take to make their threat modeling programs better. So, folks, thanks for joining and I will do this again in the future. 

Skip to main content