Member Spotlight

Audrey Long is a talented threat modeler who began her threat modeling journey at Microsoft four years ago, where she is dedicated to helping clients strengthen their security posture within the Azure environment. Since entering the threat modeling world, she has made remarkable strides in her career. As the team captain in the Spring 2024 Threat Modeling Hackathon, she led her diverse team through an intense three-week competition, ultimately emerging as one of the top performers. Their innovative threat model, featuring an exceptional attack tree, impressed judges and was hailed as one of the best seen in decades of threat modeling. We’re excited to dive into her journey and insights!

Tell us a little bit about yourself

‍
Hello! My name is Audrey Long, a Senior Security Software Engineer at Microsoft, based in Seattle, Washington. As a subject matter expert in security and identity, my role is pivotal in assisting clients to enhance their security posture within the Azure environment. My expertise lies in the regular creation of threat models, a crucial tool for identifying and addressing security concerns in relation to Microsoft Azure architecture. Although this is my inaugural professional role as a security engineer specializing in threat modeling, I have been honing my skills and expanding my knowledge in this capacity for the past four years.

Tell us the most pivotal moment in your threat modeling career‍

The most pivotal moment in my threat modeling career came when I was able to identify threats and corresponding mitigations that significantly improved the overall security of the Azure platform. This was not just an achievement on a personal level, but it also had a profound impact on the product as a whole. I took my findings to the product groups, collaborating with them to either devise more elegant solutions or rectify existing issues. This experience underscored the importance of threat modeling in enhancing platform security and reinforced my commitment to this crucial aspect of my role.

Share 2-3 resources that you found most helpful as you grew your threat modeling skills

‍Johns Hopkins class: “Security Engineering” – this went very in depth of classical threat modeling.
Microsoft’s threat modeling fundamentals Threat Modeling Security Fundamentals - Training | Microsoft Learn

‍
Share your hackathon experience with us

What does your team look like?

We have a diverse team with members spanning across 16 time zones. Our mentor, Altaz Valani, guided us with invaluable insights. The team included Niharika Gehani (based in U.S), Sr Security Systems Engineer at EPAM Systems, Joyce Sulit, based in Philippines, Cloud Systems Engineer at Reed Elsevier, and Vicente Yueh, Singapore, Cyber Security Engineer at Mercedes-Benz.

What was the biggest challenge and what made you feel proud?

The biggest challenge was coordinating our schedules and uniting on a coherent idea. Our proudest moment was aligning our efforts and progressing with our threat modeling hackathon project.

What do you plan to threat model next based on what you learned during the hackathon?‍‍‍

I plan on expanding my attack tree GPT code to create diagrams with Mermaid. I also plan on introducing enrichment on the LLM.  ‍

What advice would you share with anyone looking into participating in this hackathon in the future?

I loved exploring new techniques, teaching others, and learning to create attack trees for cloud application threat models and their AI significance. I highly recommend this hackathon to anyone looking to grow and sharpen their threat modeling skills. It offers immense learning from mentors, peers, and the community, ensuring relevance in an ever-changing field!

‍