Software Integrity

Search Results for 'threat modeling'

 

Learn how to scale threat modeling with a pattern-based strategy

Performing threat modeling is a difficult and expensive undertaking for most firms. And, understandably. Traditionally, threat modeling requires an experienced security architect with knowledge in three fundamental areas. Architecture and design patterns Enterprise application technologies Security controls and best practices When creating a scalable threat model, it’s important to recognize the benefits and limitations of […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Learn how to scale threat modeling with a pattern-based strategy

 

Is threat modeling compatible with Agile and DevSecOps?

Bryan Sullivan, a Security Program Manager at Microsoft, called threat modeling a “cornerstone of the SDL” during a Black Hat Conference presentation. He calls it a ‘cornerstone’ because a properly executed threat model: Finds architectural and design flaws that are difficult or impossible to detect through other methods. Identifies the most ‘at-risk’ components. Helps stakeholders […]

Continue Reading...

Posted in Agile, CI/CD & DevOps | Comments Off on Is threat modeling compatible with Agile and DevSecOps?

 

When should threat modeling take place in the SDLC?

So, your firm has one or two, maybe tens, or even hundreds of applications built and deployed. And now you want to create threat models for those applications. But, why? Let’s find out. Why create application threat models? To identify potential flaws that have been there since the applications were created. And then there are […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on When should threat modeling take place in the SDLC?

 

How to scale your threat modeling capability

So, you have one or two, maybe tens, or maybe even hundreds of applications already built and deployed. You want to create threat models for those applications. But, why? Come on, you know why—to identify potential flaws that have been there since the applications were created. And of course you also want to create threat […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on How to scale your threat modeling capability

 

Goal-oriented security threat modeling approaches

When it comes to security, the vast majority of firms take measures to discover and remediate implementation-level software defects (i.e., bugs) in code. While this is a great start to securing software and data, it’s just that—a start. Bugs are only half the problem. It’s a necessary practice to look beyond squashing bugs, and into the […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Goal-oriented security threat modeling approaches

 

5 things to do before your threat modeling assessment

When preparing for a threat modeling assessment, there are a lot of moving parts to consider within a firm. These assessments often cause concerns throughout the organizational hierarchy. Don’t worry, that’s normal. To steady those nerves, here are five activities to undertake before your next threat model that will set your team and organization up for […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on 5 things to do before your threat modeling assessment

 

4 threat modeling questions to ask before your next Agile sprint

Creating a threat model for a moderately complex application can take several weeks and requires a certain level of software security expertise. Just because you’re following an Agile development methodology doesn’t mean that you can ignore potential flaws in the design of the application. The way in which you look for those flaws may need […]

Continue Reading...

Posted in Agile, CI/CD & DevOps, Software Architecture and Design | Comments Off on 4 threat modeling questions to ask before your next Agile sprint

 

Book review: Reading Shostack’s ‘Threat Modeling’

Increasingly, individuals and organizations alike express interest in building their own threat modeling capabilities. Some ask, “What do you think about STRIDE?”. More generally, “How can I help developers think about our systems’ security properties?” Synopsys has published a bunch of valuable threat modeling material but the biggest single body of work continues to come […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Book review: Reading Shostack’s ‘Threat Modeling’

 

What is threat modeling? A vocabulary of threat model terms.

A few posts back, we begun a series on Threat Modeling. As we begun writing the second installment in this series, it occurred to me that I’m using a lot of threat modeling vocabulary. When I speak on threat modeling I always warn my audience that ambiguity exists in some of the (even fundamental or […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on What is threat modeling? A vocabulary of threat model terms.

 

The 5 pillars of a successful threat model

Threat modeling identifies risks and flaws affecting a system. A thorough analysis of the software architecture, business context, and other artifacts (i.e. functional specifications, user documentation) allows practitioners of the threat modeling process to discover important aspects of the system—security-related or not—and synthesize an understanding of the system that may not yet exist within the […]

Continue Reading...

Posted in Software Architecture and Design | Comments Off on The 5 pillars of a successful threat model