In this video, learn how whiteboard diagrams act as models, creating shared mental models and scope.
- The first question in threat modeling is what are we working on? The reason we ask this is like the old parable of the blind folks and the elephant. One touches a leg and thinks it's a tree, another finds the tail and says it's a snake. We need to see the big picture, and so we need a, um, picture! And so I'm going to draw one. The best place to draw the first picture is on a whiteboard. A whiteboard is the epitome of we can erase and change this. You draw a picture of what you're working on, that you can change and evolve.
You draw a picture that everyone can point to and debate. The whiteboard is a place of collaboration. Anyone can add, edit, or adjust it. So let's do it. I'm going to serve ads today, I need a media server. It has to get ads from at least one or two advertisers, so I'll draw them in.
- [Woman] Hey, Adam, what about billing? - Hey, that's a good idea. Money's good, let's add billing and logs. And there we have it. It's not perfect, no model ever is. The map is not the territory. We may find that we need to add bits or change the diagram as we go, and that's okay. This is a simple diagram that we can point to, we can see, and make sure that everyone's on the same page as we use it to ask, what can go wrong?