In this episode, Katie Norton (Research Manager at IDC) gives a primer on tech industry analysts. The conversation provides insights on how to find the right analyst firm based on company needs and the importance of asking good questions during consultations. Additionally, they address common myths about analysts being 'pay to play' and examine the impact of recent npm supply chain attacks on the industry.
00:00 Introduction: Analyst vs. Consultant
02:12 Finding the Right Analyst Firm
04:27 The Importance of Asking Good Questions
07:30 Debunking the 'Pay to Play' Myth
10:55 Current Trends in Malware and Supply Chain Security
16:17 Understanding Application Security Posture Management (ASPM)
22:32 Conclusion: Navigating the Analyst Landscape
Explore how to successfully shift security left by implementing strategies that make secure coding practices easy for developers, automate non-core engineering tasks (the "outer loop"), and build trust by only prioritizing security findings that are truly important and relevant.
Join us for an insightful discussion with Adam Shostack (President of Shostack & Associates, author of many threat modeling books), a renowned expert in threat modeling, as he explains the basics and importance of threat modeling in security. Learn about the four fundamental questions of threat modeling, its application in agile and lean environments, and tips for keeping it lightweight and effective. Adam also shares his journey into the field, his teaching experiences, and how to start a threat modeling program.
Adam Shostack is one of the best known thought leaders and instructors in threat modeling. At the October 2025 LeanAppSec Live, we invited him to deliver a lightning talk on the four question framework.
Discover how to efficiently incorporate threat modeling into your security processes without extra budget or headcount.
