EP215 Threat Modeling at Google: From Basics to AI-powered Magic

Topics covered:

• Can you walk us through Google's typical threat modeling process? What are the key steps involved?
• Threat modeling can be applied to various areas. Where does Google utilize it the most? How do we apply this to huge and complex systems?
• How does Google keep its threat models updated? What triggers a reassessment?
• How does Google operationalize threat modeling information to prioritize security work and resource allocation? How does it influence your security posture?
• What are the biggest challenges Google faces in scaling and improving its threat modeling practices? Any stories where we got this wrong?
• How can LLMs like Gemini improve Google's threat modeling activities? Can you share examples of basic and more sophisticated techniques?
• What advice would you give to organizations just starting with threat modeling?