The B-MAD Approach to Threat Modeling

Presented at Black Hat Asia 2021 Virtual, May 7, 2021, 1:30 p.m. (30 minutes).

Threat modeling is a family of techniques for discovering what can go wrong with a system and improve its security. Threat modeling techniques often aim to be structured, systematic and comprehensive and have to intersect with the organization's systems for delivering products.

In many ways, threat modeling is very easy, as long as you avoid the many traps that await the unwary. This talk is about one particular set of traps in the way that threat modeling is deployed across an organization.

The B-MAD approach to threat modeling is an anti-pattern for threat modeling. It starts with the words "Bring me a diagram" and ends with escalations between security and operations, security and development, and security and the world. Why is that? How can we predict that it's all going to go downhill from those 4 little words? Why do they make up an anti-pattern?

Presenters:

• Adam Shostack - President, Shostack & Associates
  Adam Shostack is a leading expert on threat modeling, and a consultant, entrepreneur, technologist, author and game designer. He's a member of the Black Hat Review Board and helped create the CVE and many other things. He currently helps many organizations improve their security via Shostack & Associates, and helps startups become great businesses as an advisor and mentor. While at Microsoft, he drove the Autorun fix into the Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Adam is the author of Threat Modeling: Designing for Security, and the co-author of The New School of Information Security.

Links:

• https://www.blackhat.com/asia-21/briefings/schedule/#the-b-mad-approach-to-threat-modeling-21908

Similar Presentations:

• SOURCE Seattle 2017 / Threat Modeling
• ToorCamp 2018 / Threat Modeling
• BSidesDC 2017 / Real World Threat Modeling (CLASS)