Threat Modeling: Now What?
Over the years, Threat Modeling has progressed from its original focus on client-server software systems into a very well understood process that is widely applicable. Threat models have been created for complex hardware and software systems ranging from operating systems to ATMs to automobiles to devices to the Internet of Things. So where do we go from here? How do you manage the details and focus on the highest risk interfaces and attack surface? What steps should you take to ensure that threat modeling yields the best possible result without becoming yet another mind numbing process exercise? In this talk, a software industry veteran will seek to provide answers to these and other threat modeling questions, including discussing best practices and approaches for fully assessing and understanding of the attack surface and risks of complex systems and devices.
A four time speaker at BSides Vancouver, Bob Fruth has been involved with more successful product and service releases than he cares to remember. After many successful years in Silicon Valley, Microsoft brought him to Seattle. While at Microsoft, Bob provided security guidance for most of the company’s major product teams, served on and ran the Microsoft Crypto Board and was the focal point for Bing.com security and privacy. He was recently recruited to focus on security and privacy at GE Healthcare, where he finds himself teaching security essentials and authoring needed policies, all the while worrying about protecting patient medical and financial data. In his spare time, Bob watches soccer and hockey, plays music and enjoys traveling.