Redefining Threat Modeling: Security team goes on vacation

[Music]

[Music] thank you besides calgary for inviting me i'm super excited to talk about some of the ways that um i've been able to change how we threat model at my current company um and i'm hoping that uh like i want to share the big successes of the program and talk a little bit about some of the challenges with it as well and today we want to talk a little bit more about how we can change that modeling as a industry always talk about security should be everyone's responsibility and i completely agree that we should do that but let's redefine threat modeling and democratize it so that we can actually make it everyone's responsibility so everyone knows how to do it and everyone

is aware that it is their responsibility um agenda uh we're gonna talk a little bit about what is threat modeling i'm not gonna do it too much of a deep dive into it we'll just cover it at a high level just to get on the same page with one another then i'll talk a little bit about what uh self-serve threat modeling is and then i'll do a deeper dive into the program how we sort of set it up and what it all means uh when i talk about it so a very quick intro about me i'm a guy that did a ton of software development in my career like a ridiculous amount and then um during that time always been

interested in security and one day a really really smart security guy um he told me that you know what i should probably join his team become a security engineer and it took about a month but he finally convinced me and it was the best career decision that i've ever made that was a really long time ago and now i try to help other people to get into security which is why i'm involved with owasp vancouver and making sure that we provide content for people that are trying to get into the industry as well as content for some of those folks that are been in for a while so one fun fact about me i'm really good

at annoying my family because i talk a lot about risk having said that i was not able to predict the toilet paper shortage at the beginning of the pandemic um so um did not see that coming if i'm being honest we have a lot of toilet paper now we should not even if there is a another shortage we should be well well uh taken care of with respect to that okay enough about that stuff let's actually talk about threat modeling again i don't want to go too much into the details but i do want to cover the basics so that we're on the same page um what is threat modeling the goal of thermal is fairly straightforward we

just want to identify the assets in our system and figure out the risks to those assets once we understand the risks then it's possible for us to think about all the different ways that we can either protect the asset or attack that acid so at the very base threat modeling should be simple it should be transparent and we should ensure that everyone has a voice everyone's viewpoint is very different they all come from different career different backgrounds if we take everyone's input then it's easy for us to make sure that we're all on the uh build a much more robust system threat modeling is important for a lot of different reasons as an industry we also we talk about

making security everyone's responsibility but we also talk about shifting security theft and we talk about it because the further left you shift security the more robust your systems can potentially become so threat modeling is pretty far left and we're performing security within the design phase it also means that you can potentially fix vulnerabilities before they're actually created within the system and we do that often like we make sure that as part of our program we are capturing um we're getting caught in the design phase and we are actually fixing vulnerable as super cheap to fix it at that point thermal is also a great way to discover assets within your system now whenever we architect a solution if

you know the assets that are part of the system you'll think a little bit more about making it resilient and you want to make sure that you you'll either have a attacker mindset to see how you can potentially attack it or you'll have a sort of a defender one just to make sure that you know how to load balance it or make sure that it's resilient to even common mistakes within your system uh threat modeling is a great way to prioritize remediation efforts um you discover problems within you'll discover a lot of problems within your system and you have to actually prioritize it to figure out which ones are important that have to be mitigated

immediately like with a either a change in design or a bunch of con libraries that you can pull in for controls or you'll figure out there's a bunch of really low priority or informational type of threats that you can actually deal with it at another time so it really forces you to think about what is important what's not um i love um for me personally i love the paper trail of threat models when i joined my current company i peeked around looked at all the other previous threat models that were done and it gave me a great understanding of how we think as an organization about threats and how we want to address them and also having a paper trail we have

threat models that actually go stale so you may have reviewed a particular system a year ago some assumptions that you made may no longer [Music] be correct so you may some of the low or informational priority vulnerabilities are now a lot maybe medium or high in rare cases even critical so it's good to have a paper trail for all of this and what we've done recently is actually started using our threat models and sharing it with our security researchers so third party vendors that are going to hit up our systems and it really helps validate some of the assumptions that we make and it gives us a little bit more confidence in those assumptions as well

so a lot of great reasons why threat modeling is important but we really want to talk about redefining it so threat modeling is hard and it's a hard program to implement so let's talk about different ways to make it a lot easier and again i should note that this is just one approach to it there are other companies that are doing it different ways this has worked really well for us so there are a few problems that we're trying to solve one is threat modeling is hard to scale in many companies there's very few folks that know actually how to threat model and if the company grows the problem is going to get a lot worse

because usually you can't hire as fast as the engineering teams and those situations developers might get blocked by security so there's only a few options in that scenario either security kills themselves by trying to threat model everything which isn't realistic a development may get blocked and have to wait for security which isn't great for velocity or security may have to pick and choose the type of things different model which means a lot of systems may not be you might not be able to do a security review of it usually dev gets blocked and security has to pick and choose what the threat model those are not ideal situations so that's another problem that we want to sort of

solve for in my opinion application security should focus on the most important tasks so that may include like we should be focusing on threat model uh that modeling but i want to make sure that we pick and choose which uh threat models that we want to which systems we want with that model but there could be other way more impactful things within the business that you might want to work on so those low value threat models that you do maybe make sense for handing it off to someone else so what is self-serve threat modeling well in my utopian world developers are going to do vast majority of threat models without security even being part of that process

that means that they're going to identify the assets discover all the risks of those assets prioritize those risks and figure out which ones they want to remediate and they can they can go there and re-design things if necessary security's focus should be on training engineers and what making sure that they're getting better at threat modeling uh the better and better and better they get at threat modeling um the less that you will be involved as part of that modeling process so um and every year you should have new improved training that should be rolled out so anyone new coming into the organization should get all of those trainings and the old uh not older the people that are

still here you know the developers that are still here should get all the new trainings i want to make sure that there's consistent learning a goal is also for us personally was to make a bunch of mini security engineers throughout the organization and having an army of mini security engineers just make sure that everyone is looking for problems within the systems and the engineering team is really good at finding them and empowered to actually fix them so if you if you discovered a flaw of vulnerability in your system you sort of own it you want to actually you have motivation to actually fixing it um and this is a great way for security scale within the organization well

self-serve threat modeling um this will like it doesn't matter what size uh you have of organization it doesn't matter if you have a hundred engineers or ten thousand if everyone knows how to uh look for vulnerabilities as part of a threat modeling session it can scale through whatever size you have for the organization so having a look does it solve our problems threat modeling is hard to scale well when everyone is trained to threat model by definition we just scale up program the engineering team can now do the vast majority of threat modeling sessions so that that is an easy problem to solve um engineering should no longer be blocked by security since engineering is now doing the

threat models themselves they can do the they can do the security reviews themselves and don't have to worry about anything else um and finally engineering uh security engineers will be able to focus on the most critical of tasks again it could be anything um within the organization whatever um provides business value and it could be threat models themselves so does that mean it's time for vacation not just yet um i want to talk about some of the things that what is not self-serve threat modeling it's not an excuse that security isn't involved in part of the threat modeling process so this is a program where security can actually focus their efforts i want to make sure that i'm a part of

the sessions that are talking about authentication authorization is there phi are are these servers exposed to the internet i want to be part of those ones and i anything that is internal that likely isn't going to get much use maybe it's a service that gets hit once a month i probably don't need to be involved in it and i can trust that our engineering team can do it themselves uh self-serve threat modeling isn't an excuse to blame developers if they miss anything um we should not point fingers at the developers i miss things all the time myself which is why i make sure that whenever i do these sessions i have a good group of

folks that do it with me so um it's a it's the program that failed so it's a team effort so we want to make sure that we understand why the vulnerability or problem was wasn't identified we worked together to sort of mitigate those gaps i know that you aren't going to fear it but it doesn't mean that security is out of a job we know that if one of our responsibilities is taken care of by someone else there are still a hundred other things that we have to deal with so um we talked a little bit about uh again i want to reiterate this doesn't substitute other important security items um that like some some of the threat models are

being taken care of themselves but you still need to have a robust program so static analysis dynamic analysis bug bounties uh pen testing security metrics all that sort of stuff is still important part so that having self-served out modeling will help eliminate a lot of vulnerabilities in general over time but we want to make sure that you still focus on other parts of your system so how is the program set up um the way that we envision it there's four parts of the program uh four phases of the program and what i personally think it's really cut down to two two pieces so um training phase which is actually when people have to get trained

um observation observation where i'll and i do a deeper dive into what these are individually but observation is making sure that you're just reviewing as part of the threat mining sessions just reviewing what's happening there and personally i feel that's just training v2 and the review is training v3 and security optional is actually secure the optional phase if you want to join that's great if you don't that's okay as well let me deeper dive and explain to you what what exactly is happening okay training in order to do self-serve throughout modeling engineers actually have to know how to threat model which makes complete sense um and i had some principles uh when it comes to

training so enhance engineering's motivation to learn i'm not too sure about you but i tend to learn a lot when the material is fun and engaging you want to make sure that the developers want to learn they want to be part of your sessions and they want to keep coming to them so make the sessions interactive have a lot of questions for the group keep the group small so that people aren't afraid to speak up or get involved that's worked really well for us you got to remember security is a marathon not a sprint you don't have to do all the trainings in one go i'll talk about how this is a multi-year program so you don't have to do all of

the threat modeling trainings in one sitting do the trainings in a way that it is easy to learn and retain that information i also recommend you teach engineers the things that are relevant to your business threat modeling training should be done in the same vein as you do you actually do threat modeling in your organization if you use risk assessment train the engineers to do risk assessment if you use stride for finding vulnerabilities train the engineering engineers to do stride incorporate your threat modeling workflow into the training to so it's just a natural progression for them again the bullet training is to teach people how they can do threat modeling and also to retain the most information

so with those principles in mind we decided to spread out our training over three sessions because i didn't want to sit in a security course for an entire day myself whenever i go to black hat or oasp conferences i don't really retain too much information when i do the trainings the trainers are there and they're they have to provide you they charge you a lot of money so they have to provide you all of this material and i'll sit through 8 hours or 16 hours of training and probably retain about 10 of it on a good day um on regular days is probably about 5 so you got to remember these folks are employees of the company we're able to

structure the training in any fashion that would provide the most benefits to them so i split up the training into three sessions the first one was an introduction to the concept of threat modeling and we use stride at work so i want to make sure that the theory is there and it gave them a little bit of hands-on practice so that they sort of get how to understand with the concept and the second training that we put together is to introduce concept concepts of assets and data classification and we get our hands really dirty with the threat model and put people into groups so they can do a deeper dive and a third one we actually

do a threat model of one of the pieces of applications that they own so that way they're very familiar with it they know how to deal with it so getting their hands super dirty so again this is split into three different sessions we did it over a six week period people um and each section was about an hour and a half so it really made it easy for people to retain that information and get something out of these sessions and i'll give you a link to the trainings themselves it's all open source we didn't think anything proprietary was in it so we want to make it available to all folks so i have a slide for that

make sure you just screenshot that slide okay some training takeaways again it takes years for our security professionals to get good at threat modeling and it's going to take engineering the same amount of time and you need to bring that training to them so you need to make sure that it is easy digestible for them we tried a few different ways to make sure that the concept of threat modeling was easy for them so we started threat modeling things that were everything like your everyday things we threat modeled personal safety we talked about how you do grocery shopping during covet and we really talked about risks and making them think about risks so once they really understood those physical

safety concepts it was easier for us to translate them back to software and the software domain um i always recommend failing fast i spent a lot of time just trying to build out the training in itself um but once i got it in front of folks we dog food it we gave it to the security team initially and get got them to provide feedback the beta engineering team got more feedback um it was about 98 of the way there did another beta engineering team and it was pretty much perfect so the other challenge that we had is i've never done training over zun until kovit so a few things that i usually do is i make

sure that everyone has their video on and i want people to be engaged so i make sure that i warn people in advance i ask random questions during the whole session so people are on their toes and they pay more attention but ultimately you want to make sure that the training is strong and engaging and nothing can replace it so we've got a lot of great feedback from the training in itself and it made it easier for us to convince other folks to do it okay so we moved on from the training everyone's trained at this point we want to go to observation which again i feel it's training be true you move from theory

and you go into the hands-on apprenticeship part of it so what i usually do is get the dri the directly directly responsible individual i get them to get all of the appropriate people set up for the threat modding session so this dri they will get all the documentation involved they will get the right people to schedule the threat modeling the sessions themselves and then they actually lead the threat modeling session themselves this doesn't really take too much time extra from the engineering team they the dri may put an extra half an hour to get all the documentation involved and then the whole session might be another half an hour for all of the folks as well

the goal of this phase is to get engineering good enough to threat model on their own i try to make sure that i don't tell the engineers themselves what are the vulnerabilities but i do give them hints and coaching towards the vulnerabilities and i want them work with them to sort of figure out how to prioritize the vulnerabilities which ones are the ones that we should focus on which ones we should remediate immediately which ones we can leave for another day and the goal is also to make sure that the engineers leave every thermal session feeling that they've learned something new leaving with a very good um make sure that they're happy about it they shouldn't go away being upset or

sad about these sessions they should be really happy about it so once you start seeing them finding all the critical and high priority vulnerabilities then you know that they're ready to move on to sort of that next stage um again some of the takeaways again you want to coach them you want to make sure that you take them to a place where they can do it on their own it's in our best interest for them to do it um i typically help the engineers with documentation i use that one-on-one time to sell the threat modeling like the purpose of it to the engineer and just making sure that they understand how great it will be when security is no

longer involved part of the process also make sure that everyone knows it is a team sport make sure you have enough people in the conversation there's enough diversity of opinions there too i always dm people that are not talking enough in the threat modeling sessions everyone's voice counts i also teach the dri the one that's responsible for the threat modeling session i teach them to call people out that are being too quiet as well the more conversations that we have part of the threat modeling session the better it is for everyone um so and i always close the loop with the engineer afterwards i let them know they've done a great job if there's some

thoughts that i need to provide them i do that as well and some people are so good at it um literally the first time that we did this self-serve threat modeling um me and another principal security engineer we went into the threat modeling session um the engineers prepared the documentation we got into the room we talked about all the vulnerabilities that he discovered as part of it and how to remediate it um literally me and the other principal security engineer we provided zero additional value the engineer had discovered all of the vulnerabilities that we had in our mind and i was super proud of them it felt really bad because i felt that it was gonna be relevant for

longer but this engineer just sort of made me feel that i was replaceable which ultimately is what the feeling i wanted but yeah and we have several of them um within our company there are a lot of folks that still need a lot of coaching and um experience to do it but you will run into great um engineers all the time so um again uh just a little example closing the loop with engineer afterwards this particular one killed it in a recent session like really really killed it i'm super proud of them um i had a conflicting meeting for the last half of the threat model but i felt very comfortable with leaving um them in

control and just doing their thing so lots of great stuff there um and then the next phase is the review phase where um that's where we're sort of dabbling in my current company security is actually not evolved involved in part of the process the engineering team will do the heavy lifting they'll prepare the documentation to do that modding sessions and the artifacts is what the security team is going to review um so in reality we've run into the situation a few times already at the company there have been some situations where they've been miscommunications the engineer didn't realize that they're not supposed to do the entire threat modeling sessions on their own so when they put the documentation together

they've already done the threat model themselves um and in these situations um the engineers came up with amazing threats and there weren't any critical or high vulnerabilities that they missed um they even found some stuff that i couldn't uh i didn't even discover so it was pretty solid with that so i'm hoping that the next time i give this particular talk i can talk a lot more about the pros and cons about the review phase we only have a few teams that are dabbling in this um space right now but um we're really looking forward to the security optional phase so this is the utopia that we all bring dream about security will be truly

optional security should still be involved in certain situations again we talked about security being involved with authentication authorization pi phi anything touching the internet that sort of stuff those are things that i'm concerned with but uh i'm hoping with the security utopian optional phase and utopia that we see a huge drop in critical and high vulnerabilities and we have to pay more people uh people more as part of our bug bounties to attract them now you can actually kick up your feet for reals so jason you can take your location okay program learnings um so i should have mentioned that uh um that modeling isn't all rainbows and chocolate chip cookies this program is that has a lot of challenges so let me

start off by saying this is a multi-year program um and it's super rare that you have folks that stay on for more than a couple of years in your organization so you need to make sure whoever is running this program is there for multi-years or that there's a bunch of folks that can make this program happen it's going to be a large and key investment from the security team so you need to make sure that there is some sort of continuity that this program will even last if someone were to someone key were to leave the organization again this um this this is a key investment and it makes a ton of sense both from the engineering

side and the security side because it increases engineering velocity security team is involved in the most critical of threat models but it is also a really hard program to manage by individual and it requires a lot of focus and drive to get this going well training is hard for a lot of reasons so i'm not too sure if you've ever delivered someone else's presentation i've done that in the past and it's brutal um like it's super difficult because um it's not your ideas and you don't know really how well to do it so what i usually recommend is you build up the slides and you train the trainers and when you train the trainers you have to give them the

autonomy to do what they need to do with the training so that they can make it their own and they have a sense of ownership and also i you should train trainers i delivered this training for about 120 150 people initially and i was really burnt out with the training in itself like i i know the content inside and out but i didn't after doing two quarters of it i didn't want to look at it again for a while so it took me a i took about a quarter off from it but i trained the trainers in that point let them deliver it so you have to make sure you well balance uh this particular program with a lot of

folks you can still have your regular threat modeling challenges same things that you um all the time so are the devs start modeling all of the things they're supposed to but how can you be sure how do you organize all of your threat models threat models do go stale how do you ensure that you continuously threat model those items these problems just don't go away when you have a self-serve threat modeling program you need to make sure that you're vigilant and ensure that you're on top of things okay so um i'm at my current company it was pretty easy we only have about we're probably close to 200 engineers at this point but how do you scale this

program to a company with seven several thousand developers um and i've mentioned i i personally trained about eighty ninety percent of the engineers at my company but scaling this to several thousand people it's not going to be an easy task um i don't really want to make it a video workshop because anytime i take any security trainings that are over video or privacy trainings i just roll my eyes so you need to structure in a way that you can scale it really well across the entire organization but you still want to have a bit of that hands-on approach that people actually take away some good learnings um speaking of trained individuals it's really hard to have a good ratio folks

that are trained in threat modeling training people always like they continuously leave the company and new people that are untrained join all the time so you need to have a program where you're always training um folks that are available i try to convince hr that we shouldn't allow people to quit their jobs until they train at least one other person with threat modeling they definitely didn't go for that so we'll have to find another strategy for it this is just some of the bigger challenges with this program but there are a ton of other challenges that you'll encounter as well so you need a lot of focus and determination to do this okay so i'm

more than a year into this experiment what have i learned i'll talk to us about some of the great things um but there are some other things i do want to note we are threatening a lot a lot more than we've done in the past um i feel that the concept of threat modeling is now within reach within all of r d and they better understand what needs to be done what's their role within it the knowledge gap maybe played a big part of it um so now that the there isn't as much knowledge gap it it is happening a lot more often the engineers are way way better at threat modeling than you are

they know their systems inside and out this is something that i learned going through it i as a security engineer i'll come in i'll have to learn their system i have about an hour or two just to figure that out and then after that i have to provide them with a list of all of the vulnerabilities these folks work on their systems day in day out they know where all the bodies are buried they now have a they have a framework in which they can identify these issues and call them out as well so um they are way way way better there are a lot of vulnerabilities i could not discover um and and they they just knew where they

were um i always tell folks you know engineers don't have to be perfect at threat modeling they just really need to notice the big issues um but having said that if there are enough folks in the threat modeling sessions they will notice the little ones as well our security culture has improved leaps and bounds and i know a ton of more folks that are interested in security so i don't know if they're more interested because they understand security more or now that they're exposed to what security is really like and it's more interesting to them it doesn't matter in my books uh the more people that are interested in security and wanting to help us out makes my job a lot easier um

i get dms all of the time around questions around security um we've one of my favorite stories as a part of this is that we do use golang often as part of our application and golang dropped some security high security vulnerabilities one of our engineering managers he went in he discovered where all the vulnerabilities are told us that these two matters these four don't matter because we're not using that functionality but um that's something that i would be doing um but he felt empowered to now that he knows a little bit more about security he felt empowered to actually do it so i i keep mentioning about failing fast um i had analysis paralysis with

the training in itself and once i got it out there once we dog food it on the security team and um i tested out on the beta engineering teams i was really i moved really quick with iterating on the content and um i got it in the hands of as many people as possible um so with that um there how do you get started um how can you do this sort of thing um so there's links for a self-serve stuff i've got uh i had a blog post you can have a look there's a little more content there about the program i sort of mentioned that we have open source the training in itself you can

download it i have my speaker notes in there feel free to use that for yourself um i also set up a web like an email address so if you have any additional questions feel free um to reach out to me i sort of want to emphasize that like we are a community we all need to work together to make software safer we don't need to hide all the things that we do there are things that we can share and we can work together my goal of this is that i want to get it i'm doing this selfishly there are a lot of really really smart security people out there i want to get into all of your hands so that you can

see the program you can iterate on it and then i can steal your ideas and incorporate it into my program so again this is uh feel free to take take take it modified do it however you want with the training sides okay so questions um you can hit me up on ssstm segment.com hit me up on twitter if you have any questions scott had one how long does uh threat modeling session typically take great question um it really depends um we've had some i think our typical ones that we set up are about an hour and a half usually we have about an hour for the training like pre self-served throughout monday we usually have about an hour but we want to make

sure that we have a bit of extra time just because we want to coach people instead of tell people where the vulnerabilities are and we want to work with the team to we don't want to say the prioritization um of it ourselves we want to make sure that the like we work as a team to discover the prioritization so it takes a little bit longer to make make sure that we do it what does a threat modeling artifact documentation look like how do you know it is stale man that's a great question so artifact so we have a sdd a software design document as part of our sdlc so within that within there we have a security section

and within the security section we have a threat modeling section now and we get people to fill that out so whenever we review things we just review the actual model results and making sure that they found discover all the threats and vulnerabilities there how do we know it goes fail we moved really rapidly at my company um anything that's over nine months or a year is the system is vastly changed so although we're threat modeling all the new features that come in there's still bug fixes and other other stuff that happen that drastically change the art of like the architecture of some of these systems so we we still need a program in which to

identify when things go stale when things are changed so that we can get involved and re-review some of these things at time just looking to see if there's any advice for a team that does not have any security staff just engineers willing to learn about lack of knowledge experience insecurity i feel your pain igor i remember starting that way in my career i just recommend that what we what i've done in past is that uh we did lunch and learns on security we had a security champion that was me at that point and what i did was i just did i ran lunch and learns i had people go through a program that is set up and

how to discover vulnerabilities in this system and sort of lit a light bulb in their mind so that they know that hey someone can attack our system with a nexus s vulnerability or watch out for the sql injection so a lot of that sort of stuff made it um just chatting with one another um every again like i'm good at certain things um other people are great at other things so i make sure that we once we had discussions there's no full-time security expert there we just have those discussions that just made it better for all of us for it uh perfect yes josh we will have to catch up at some point um what tools do you use to track

schedules who's been trained who needs a refresher oh man great question simon i initially did this all through google sheets we are we do have a lms learning management system that we have migrated into i might actually this week we tomorrow i'll be chatting with the person that runs the lms and getting them to actually schedule and make sure that we are training all of our engineers so i'm lucky that i can hand that off to someone else when implementing this program did you have any problems with a liability hot potato where no one wants to take responsibility if something goes wrong that's a great question i feel that i would have gotten that at previous

companies but at my current company we have real strong ownership and everyone has literally bought into security so the c-suite and downwards i will have regularly have our chief product officer we send a weekly security metrics email he will call out if he notices spike or if he notices that security has sort of plateaued number of vulnerabilities or the time that we need to address them so they will call it out so things aren't like that at my particular company but i can see that with other other folks what we've done in general at our company is we've taken security out of the conversation we've really democratized our security vulnerabilities our threat modeling process and we made it the

responsibilities of the director of engineering or vp of engineering so for example we will we have vulnerability tickets vulnerability tickets take time to get remediated most companies have an exception process with when to if the things are taking longer than normal security is always chasing down people to say hey you got to fix these things we've stopped doing that we've actually put the responsibility on the engineering teams we um if it's like a p4 or p5 um the engineering managers themselves can extend the um the timelines for when things are going to be fixed if we have a p2 he goes to a chief product officer so if you're asking him for an extension you may

get a lot more questions than you anticipated and next time you'd want to make sure that you're fixing things on time so so with respect to that pushing the risk onto the engineering teams and to the leadership within engineering has made it a lot easier for us to reduce the hot potato situation um did you find people are resistant to training how do you communicate it's important great question so um a lot of people were initially worried about it but i think the word got out with how um how fun the training was in itself i try to make it really easy and digestible for folks so and i got a lot of great feedback which is why i want to fail

fast and iterate through it a bunch of times so that making sure that i deliver the best sort of uh training to those folks but we i try to make sure it's not like typical security training that they may receive where they're rolling their eyes and not wanting to listen so yeah i make sure that it's fun and engaging and um i have a bit of that personality so i call out on people and make sure that i follow up with them making sure that they understand that sort of stuff so make sure that i really pay attention to the individuals because i know it took me a few years to get good at threat

modeling and i know it's going to take them so i came up with a lot of empathy perfect awesome if we don't have any other questions um again you can feel free hit me up um ask stevensing on twitter sstm segment.com um email we have the blog post we have the open source the training itself have a look chat with it iterate on it make it better share it with me how you made it better so then i can roll that into my program in itself cool do you recommend any tool to do threat modeling so there's actually a few companies that are in the space our goal was to sort of make security mini security engineers within our

organization which is why we want to teach people how to do threat modeling in itself but there are a few um in the space uh owasp i think owasp has threat dragon microsoft has their tool as well those are great tools i know that some other companies with self-serve threat monitor they've gone down the tooling path where they teach people how to use the tool that scaled a lot better for them so um i i personally can't really recommend anything i use the microsoft one at in the past it's great it captures everything but it's also overwhelming if you don't if you are someone new to it you'll come up with 20 different threats and then you're like okay which ones are

important which ones are not so um it's hard for me to recommend anything in particular at this moment all right folks have a great one nice uh chatting with you all