search menu icon-carat-right cmu-wordmark

Threat Modeling and the Internet of Things

May 2016 Podcast
Art Manion, Allen D. Householder

Art Manion and Allen Householder of the CERT Vulnerability Analysis team, talk about threat modeling and its use in improving the security of the Internet of Things (IoT).

The manufacturers making these things might have been a business for 50 or 60 years. They are great at making cars or refrigerators or light bulbs. They have now, in some cases, literally bolted on a small embedded computer with a number of network connections.


Software Engineering Institute




Threat modeling, which has been popularized by Microsoft in the last decade, provides vulnerability analysts a means to analyze a system and identify various attack surfaces and use that knowledge to bolster a system against vulnerabilities. In this podcast, Art Manion and Allen Householder of  CERT’s vulnerability analysis team, talk about threat modeling and its use in improving security of the Internet of Things.

About the Speaker

Art Manion

Art Manion is a senior member of the Vulnerability Analysis team in the CERT Program at the Software Engineering Institute (SEI), Carnegie Mellon University. Since joining CERT in 2001, Manion has studied vulnerabilities, coordinated disclosure efforts, and published advisories, alerts, and vulnerability notes for CERT/CC and US-CERT. Manion currently focuses on vulnerability discovery and other areas of applied research, including ways to automate and improve operational vulnerability response. Prior to joining the SEI, Manion was the Director of Network Infrastructure at Juniata College.

Allen D. Householder

Allen Householder is a senior vulnerability and incident researcher at the SEI’s CERT Division. His recent work includes being the technical lead developer for the CERT Basic Fuzzing Framework, or BFF, and Failure Observation Engine, also called FOE, and research into the security of the Internet of Things. His research interests include applications of machine learning and software and system security, fuzzing, and modeling of information sharing and trust among computer security incident response teams.