Threat models and risk assessments are universal. If you have the mentality, you can consistently apply it in all aspects of life. I spend a lot of time thinking about medical device security, but I also spend a lot of time on rivers doing whitewater rafting and kayaking. The crossover between the two is striking.
I’ve been kicking around some ideas on threat modeling lately – scoring timing, PASTA’s problem, where to start, and some project ideas that keep nagging at me. None of this is groundbreaking. Most of it is stuff the community has been circling for years.
Most people don’t know that NMAP, the port scanning tool everyone and their mother has used, actually supports DICOM. And not in some half-baked “we added a port number” way. There are real NSE scripts doing real DICOM protocol work. As someone who works on medical devices, I felt the need to break this down because the default tooling should have been doing more here all along.
My viewpoint on threat modeling has matured since my last post on templates. Recently, I have been using a combination of template threat modeling, combined with process and user-needs threat modeling with some GenAI sprinkled in to help out. If you’re not familiar with template threat modeling, check out my other post.
I keep finding myself repeating the same advice to junior engineers. None of it is about tools. None of it is about certifications. All of it is about how you think.