Coffee, Chaos and ProdSec Ep 28 - What Are We Working On, What Can Go Wrong: A Threat Modeling Wake Up Call
🎙️ Coffee, Chaos and ProdSec, Ep 28
Threat modeling has been around for 30 years. It shows up in every security framework. And most teams are still doing it wrong, too late, or not at all.
So this week, Cameron and Kurt get into it. What threat modeling actually is, why the CI/CD pipeline is almost never in scope, and why a finding with no owner is not a mitigation.
They cover the framework landscape from STRIDE to MAESTRO, the SolarWinds proof point that killed the "our app passed every check" argument, and what JPMorgan Chase and Booking.com are doing in production right now with AI-assisted threat modeling.
There is also a real conversation about AI as a new attack surface that existing frameworks were not built to handle, and where the ownership gap between security and ML engineering is quietly compounding risk.
If you work in Application Security, Product Security, DevSecOps, or Software Supply Chain Security, this one is going to hit close to home.
☕ New episodes every Wednesday. Coffee, Chaos and ProdSec -> strong coffee, stronger opinions.