Threat modeling is something we instinctively already know how to do. If I asked you to help me threat model a camping trip to a park with bears, you could jump right in. You can do that even though you may have never been camping near bears. You are able to build a mental threat model: put up the food, bring bear spray, and you know… maybe just stay in a hotel with decent wifi.
We should but often don't pivot that same mind frame to the building of a threat model for your application security program. In this introductory talk, we will discuss how to start a formal threat modeling program at your company, building a threat model, and how to keep improving your model.