close search bar

Sorry, not available in this language yet

close language selection

When should threat modeling take place in the SDLC?

Synopsys Editorial Team

May 24, 2017 / 2 min read

Table of Contents

So your firm has one or two, maybe tens, or even hundreds of applications built and deployed. And now you want to create threat models for those applications. But why? Let's find out.

Why create application threat models?

To identify potential flaws that have been there since the applications were created. And then there are new applications that your development teams are creating as we speak. You'll want to create threat models for these as well.

Threat modeling identifies risks and flaws affecting an application, no matter how old or new that application is. Conducting a thorough analysis of the software architecture, business context, and artifacts such as functional specifications and user documentation allows your firm to discover important security- and quality-related issues.

RELATED: How to scale your threat modeling capability

The threat modeling process offers a strategic practice by which you can think about a system's characteristics. It also provides visibility into weaknesses that may affect not only the application, but potentially the entire organization.

When should threat modeling take place in the SDLC?

Creating a threat model can take several weeks. The way in which the team conducting the threat model looks for flaws may require adjustment based on the SDLC methodology in use within your firm. No matter what methodology you utilize, you can't neglect identifying and resolving design flaws.

In order to identify and resolve those flaws, you must understand that there are five primary activities that make up a threat model:

  1. Defining the scope and depth of the analysis.
  2. Gaining an understanding of what you're threat modeling.
  3. Modeling the attack possibilities.
  4. Interpreting the threat model.
  5. Creating a traceability matrix to record missing or weak controls.

RELATED: The 5 pillars of a successful threat model

In an ideal scenario, threat modeling should take place as soon as the architecture is in place. However, not all scenarios are ideal. No matter when you end up performing the threat model, understand that the cost of resolving issues generally increases further along in the SDLC.

The earlier you're able to identify potential attacks and squash those vulnerabilities, the more time and cost efficient those resolutions will be. Remember, it's better to build security in than it is to bolt security on. But, again, not all scenarios are ideal and not all applications undergo a threat modeling assessment during their development. Don't worry, not all hope is lost.

While threat modeling should take place as early as possible, it's still a very useful activity no matter how close an application is to deployment or has been in production. While an app may have reached the end of its development cycle, you can still pick up threat modeling within the support cycle.

Threat modeling offers perspective into potential flaws in the system. A thorough assessment informs your organization about the current design-level security stance of an application. Therefore, through threat modeling, you're able to make an informed decision about investing further in that system.

Banner Image for Synopsys Software Security Threat Modeling eBook Download

Continue Reading

Managing risk at scale

Managing risk at scale

Charlotte Freeman
By Charlotte Freeman

Apr 08, 2024 / 2 min read

Tags: Software Integrity, Manage Security Risks
SANS report: Securing the shifting landscape of application development

SANS report: Securing the shifting landscape of application development

Charlotte Freeman
By Charlotte Freeman

Apr 03, 2024 / 2 min read

Tags: Software Integrity, Manage Security Risks
Guide to updating from NIST CSF 1.1 to 2.0

Guide to updating from NIST CSF 1.1 to 2.0

John Waller
By John Waller

Mar 29, 2024 / 7 min read

Tags: Software Integrity, Cloud Security, Manage Security Risks
2024 OSSRA report: Open source license compliance remains problematic

2024 OSSRA report: Open source license compliance remains problematic

Fred Bals
By Fred Bals

Mar 19, 2024 / 4 min read

Tags: Artificial Intelligence, Software Integrity, Manage Security Risks, OSS License Compliance
Attesting to secure software development practices

Attesting to secure software development practices

Tim Mackey
By Tim Mackey

Mar 12, 2024 / 2 min read

Tags: SCA, Software Integrity, Secure the Software Supply Chain, Manage Security Risks
2024 OSSRA Report: Outdated code risk in open source components

2024 OSSRA Report: Outdated code risk in open source components

Fred Bals
By Fred Bals

Mar 06, 2024 / 4 min read

Tags: Software Integrity, Security News & Trends, Secure the Software Supply Chain, Manage Security Risks

Explore Topics

Agile, CI/CD
AppSec Best Practices
Artificial Intelligence
Automotive
Build Security into DevOps
Cloud Security
Compliance
Container Security
CyRC
DevSecOps
DAST
Financial Services
Fuzzing
Healthcare
IAST
Internet of Things
M&A
Manage Security Risks
Medical Devices
Mobile
Orchestration & Correlation
OSS License Compliance
Pen Testing
Program Strategy & Planning
Public Sector
SAST
SCA
Secure the Software Supply Chain
Security News & Trends
Threat Modeling
Threat & Risk Assessment
Training
Web Application Security