Resilient Cyber
Resilient Cyber
S3E7: Robert Hurlbut - All Things Threat Modeling

S3E7: Robert Hurlbut - All Things Threat Modeling

- For those not familiar with Threat Modeling, what is it? Also, to clear up potential confusion, what is it not? (e.g. Threat Hunting)

- You were part of an effort to create the Threat Modeling Manifesto, can you tell us a bit about that project?

- We recently saw NIST both define critical software as part of the Cyber EO and also list Threat Modeling as a key activity for critical software. What are your thoughts on that occurring and if you think that will impact the Threat Modeling community?

- Some folks have made comments about Threat Modeling being too cumbersome for methodologies/cultures such as DevOps/DevSecOps. Why do you think that is an opinion among some and is it true? 

- Can Threat Modeling be applied to any sort of architecture or system? Are there any major differences for same on-prem vs cloud systems?

- For organizations looking to get started with Threat Modeling, where do you recommend they start? 

- Moving on from getting started, have you seen large organizations with successful, or unsuccessful Threat Modeling programs, and what were some major themes either way?