HOW TO Threat Model Digital Applications in Cloud
Cloud Security Podcast21 Elo 2022

HOW TO Threat Model Digital Applications in Cloud

In this episode of the Virtual Coffee with Ashish edition, we spoke with Jeevan Singh (Jeevan's Linkedin) about Threat Modelling STRIDE Threat Modelling can be used for self service Application running in Cloud and allowing Security Teams to go on holiday without worrying about Digital Supply Chain.

Episode ShowNotes, Links and Transcript on Cloud Security Podcast: www.cloudsecuritypodcast.tv

Host Twitter: Ashish Rajan (@hashishrajan)

Guest Twitter: Jeevan Singh (Jeevan's Linkedin)

Podcast Twitter - @CloudSecPod @CloudSecureNews

If you want to watch videos of this LIVE STREAMED episode and past episodes - Check out our other Cloud Security Social Channels:

- Cloud Security News

- Cloud Security Academy


Spotify TimeStamp for Interview Questions

(00:00) Ashish's Intro to the Episode

(02:15) https://snyk.io/csp

(02:40) Jeevan's Professional Background

(04:23) What is threat modelling

(05:35) Flicking the Threat Modelling switch

(06:47) Common AppSec Mistake

(09:58) What is Threat Modelling Important?

(11:46) Tainted Flow Analysis and Threat Modelling

(13:00) Where does this fit in CI/CD?

(14:25) Security Teams going on vacation made possible

(15:34) Impact of teaching developers how to run Threat Model

(16:33) First time running Observe Phase of Threat Modelling with Developers

(17:13) Developers are better at Threat Model than Security

(19:09) Level of programming expertise for Threat Modelling

(21:32) Fixing Threats vs Finding relevant controls for the threat

(22:00) Bad example of role of Threat Modelling in Business

(23:41) Should Threat Model be done in Dev?

(24:54) Example of Threat Model for an App hosted in Cloud?

(27:27) Threat Model Skeleton for Cloud Native Apps

(30:12) Does complexity increase with multi-cloud/hybrid environments?

(32:27) What’s involved in rolling a Threat model program in an organisation?

(36:26) Who is the minimum representation in Threat modelling session?

(38:30) Advice for folks who are starting threat modelling today in their organization

(41:59) Cultural Change required for Threat Modelling

(43:19) Example of getting Management agreement

(44:58) Jeevan's 4 Stage of Threat model talk - https://www.youtube.com/watch?v=DtvjJL8xcPY

(45:28) Time-boxing Threat Model Sessions

(48:21) Maintaining Quality of Risk identified during threat modeling

(50:21) Keeping developers updated on latest security vulnerabilities

(54:07) Jeevan’s Favourite Threat Model Type

(55:09) Where can people learn threat modelling?

(56:12) Fun Section

Jaksot(344)

5 Skills to Level Up Your Cloud Hacking

5 Skills to Level Up Your Cloud Hacking

BlackHat 2023 and Defcon 31 Roundup were the breeding ground for new and existing hackers to come together and share what to look out for in 2023 and 2024. The skills that stood out were - Identity - ...

7 Loka 202315min

Become a Cloud Native CISO in 2023

Become a Cloud Native CISO in 2023

Michael Piacente has been helping companies find Security Executives (CISO) for a long time for some household name companies like Lyft, Instacart, Airbnb and more . In episode we speak about his curr...

2 Loka 202337min

Software Supply Chain Controls for Terraform

Software Supply Chain Controls for Terraform

Understanding Software Supply Chain security threats for Terraform which has been the default for Infrastructure as Code is important. in this episode Mike Ruth is sharing his experience of working on...

21 Syys 202340min

Data Security RoadMap in 2023

Data Security RoadMap in 2023

DSPM or Data Security Posture Management with Yotam Segev from Cyera: Most security teams have known about data challenges in their organization and some of them are put in the too hard to solve right...

18 Syys 202317min

The Cloud to Code Dilemma - Let's Talk

The Cloud to Code Dilemma - Let's Talk

Is it code to cloud or cloud to code with Harshil Parikh from Tromzo: A lot of leaders today face the inevitable question of should i start with the code or the cloud first. Harshil Parikh from Tromzo...

9 Syys 202324min

CISO Perspective: Josh Lemos, CISO of Gitlab

CISO Perspective: Josh Lemos, CISO of Gitlab

Josh Lemos former CISO of Block and the current CISO of GitLab comes from a pentester background and made his way to become a CISO. We were lucky enough to interview him during the hacker summer camp ...

6 Syys 202320min

The Azure Cloud Security Pentesting Skills You NEED!

The Azure Cloud Security Pentesting Skills You NEED!

Karl Fosaaen, the author of Penetration Testing "Azure for Ethical Hacker" and the VP of Research at NetSPI, came as a guest to share why the penetration Test of a Web Application hosted on Azure Clou...

28 Elo 202329min

How to detect software supply chain attacks with Honeytokens?

How to detect software supply chain attacks with Honeytokens?

Can Honeytokens be used in your supply chain security? Turns out we can! We spoke to Mackenzie Jackson ( @advocatemack ) from  @GitGuardian  about the benefits of using Honeytokens, which organisation...

25 Elo 202319min