Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.
Threat modeling should be a continuous process alongside development, not a one-time project.
Question: How does threat modeling work in software development?
Archie Agarwal, founder and CEO, ThreatModeler: Threat modeling is the process of identifying potential threats and taking action to prevent them. We all do this in some form, from buying a better lock for our new bicycle to putting a PIN on our mobile phone.
In the cycle padlock example, a determination is made as to the value of the bike, the likelihood of theft, and the value of investing in a more robust padlock. This is threat modeling – and it is no different in software development. We look at the threat landscape, assessing the likelihood of attack, the value of the asset, and the path a miscreant would take, and put an appropriate control in place to thwart them.
Threat modeling should be included early in the software development life cycle. Sadly, many security practices are reactive and applied at the end instead. Threat modeling is a proactive security practice and should be part of the secure design initiative. In fact, threat modeling is the primary route to secure design.
The benefits of threat modeling early are many. It is far more challenging and resource-intensive to re-engineer security after the fact than it is to weave it into the design and build from the start. Threat modeling should be a continuous process alongside the development process, not a one-time project.
The truth is, threat modeling is natural to us and highly intuitive and approachable. It should be part of every software development process.
About the Author(s)
You May Also Like
Securing Code in the Age of AI
April 24, 2024Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024