7 min
A Comprehensive Threat Modeling Strategy The Threat Modeling Podcast
-
- Technology
The AppSec community agrees that threat modeling is essential, but many struggle to implement it effectively. Using insight from the LinkedIn community, Chris lays out a comprehensive Threat Modeling strategy to guide AppSec teams to success in this critical discipline.
Before starting, consider the organization's culture, tech debt, and current risk posture. Threat modeling will not be successful in an organization that doesn't prioritize security!
Tie threat modeling to the success of the business. See it as an enabler for the company, and define its success metrics clearly.
Integrate threat modeling into the development process in an agile and incremental manner. It's not about where you start but where you end up. It's essential to begin with critical applications and expand the scope over time.
Keep the Threat Model Up to Date. Threat modeling is a continuous process that adapts to new threats and system changes.
Make threat modeling holistic and straightforward. Start after the high-level design phase, and revisit the model continuously throughout a product's lifecycle.
Concentrate on domain-specific problems, which threat modeling is good at identifying. However, when identifying domain-agnostic issues, use automated approaches.
Special Thanks to the following individuals who provided feedback for this episode: Iswarya Subramanian Balachandar, Kuldeep Kumar, Abdoulkader (Abdo) Dirieh, Rob van der Veer, and Tony Turner.
The AppSec community agrees that threat modeling is essential, but many struggle to implement it effectively. Using insight from the LinkedIn community, Chris lays out a comprehensive Threat Modeling strategy to guide AppSec teams to success in this critical discipline.
Before starting, consider the organization's culture, tech debt, and current risk posture. Threat modeling will not be successful in an organization that doesn't prioritize security!
Tie threat modeling to the success of the business. See it as an enabler for the company, and define its success metrics clearly.
Integrate threat modeling into the development process in an agile and incremental manner. It's not about where you start but where you end up. It's essential to begin with critical applications and expand the scope over time.
Keep the Threat Model Up to Date. Threat modeling is a continuous process that adapts to new threats and system changes.
Make threat modeling holistic and straightforward. Start after the high-level design phase, and revisit the model continuously throughout a product's lifecycle.
Concentrate on domain-specific problems, which threat modeling is good at identifying. However, when identifying domain-agnostic issues, use automated approaches.
Special Thanks to the following individuals who provided feedback for this episode: Iswarya Subramanian Balachandar, Kuldeep Kumar, Abdoulkader (Abdo) Dirieh, Rob van der Veer, and Tony Turner.
7 min