Developing a Threat Modeling Mindset

Presented at SOURCE Seattle 2017, Oct. 4, 2017, 11:35 a.m. (40 minutes)

Nearly every day we hear about another compromise of a system that involves a breakdown of security. In many cases, the reason for compromise can be traced back to vulnerabilities that were not found or understood and not mitigated. The attacker(s) used those vulnerabilities to carry out threats against the system. Threat modeling is a way of thinking about what can go wrong and how to prevent it. Instinctively, we all think this way in regards to our own personal security and safety. When it comes to building or evaluating information systems, we need to develop a similar mindset. In this session, you will learn practical strategies to develop a threat modeling mindset by: understanding a system, identifying threats, identifying vulnerabilities, determining mitigations and applying the mitigations through risk management.


  • Robert Hurlbut - President at Robert Hurlbut Consulting Services
    Robert Hurlbut, based in Enfield, CT, is a software security consultant and trainer. Robert is a Microsoft MVP for Developer Technologies and Security and holds the (ISC)2 CSSLP security certification. Robert has 30 years of industry experience in software security, software architecture, and software development. He speaks at user groups, national and international conferences, and provides training for many clients. You can follow Robert on his blog at and on Twitter at and co-hosting on the Application Security Podcast at