Security Weekly Podcast Network (Audio) Threat Modeling With Good Questions and Without Checklists - Farshad Abasi - ASW #335
7 snips
Jun 17, 2025 Farshad Abasi, Founder and CEO of Forward Security, shares over 27 years of cybersecurity expertise, emphasizing the importance of effective threat modeling. He argues against lengthy checklists and frameworks like STRIDE, advocating for innovative, developer-engaged strategies instead. The conversation highlights the relevance of user stories and continuous communication in small teams, especially startups. Abasi also reflects on lessons from hyperscaler incidents and the complexities of software deployment and security, all while stressing the role of human insight in tackling modern vulnerabilities.
AI Snips
Chapters
Transcript
Episode notes
Early Threat Modeling Challenges
- Farshad Abasi shared his early experience being assigned a threat modeling project with little prior knowledge.
- He initially found 70+ threat scenarios and realized the original approach needed improvement.
STRIDE Is Not A Process
- STRIDE is commonly misunderstood as a process but is actually a threat classification scheme.
- It serves as a conversation starter to consider categories like spoofing or information disclosure.
Use Functional Threat Modeling
- Functional threat modeling focuses on features and abuse cases, not just architecture.
- Asking what could go wrong within system functions uncovers valuable threat scenarios.