Secure software development requires a ‘shift left’ — paying attention to security and privacy early in the life cycle. Threat modeling is a very useful activity for achieving this goal, but for a variety of reasons, organizations struggle to introduce it.
Last year, a group of industry and academy experts got together with the goal of looking at the current state of threat modeling and putting together a threat modeling manifesto — what we consider to be a good practice and how to get there. One challenge we set ourselves was to be brief: it should be printed as one page and displayed in a team space. To achieve brevity, we had to omit some details, of course. In the five months since we published this, many interesting questions have appeared online.
To answer some of these questions, I am going to go over the guidance from the Threat Modeling Manifesto and fill in some of the details and rationale behind the values, principles and patterns.
Values of Threat Modeling
If you are familiar with Agile Manifesto, you know how it works: while there is value in the items on the right, we value the items on the left more.
A culture of finding and fixing design issues over checkbox compliance.
Compliance is important. There is nothing wrong with starting from the point of ‘I need a threat model to keep my auditors happy.’ But there is much more that threat modeling can do for you. It’s one of the aspects that contribute to the overall security culture that every ..