How Threat Modeling Helps Discover Security Vulnerabilities
Application threat modeling can be used as an approach to secure software development, as it is a nice preventative measure for dealing with security issues, and mitigates the time and effort required to deal with vulnerabilities that may arise later throughout the application’s production life cycle. Unfortunately, it seems security has no place in the development life cycle, however, while CVE bug tracking databases and hacking incident reports proves that it ought to be.
There’s a trend of insecure software development:
a) Iron Triangle Constraint: the relationship between time, resources, and budget.
b) Security as an Afterthought: taking security for granted has an adverse effect on producing a successful piece of software.
c) Security vs Usability: another reason that seems to be a showstopper in a secure software delivery process is the idea that security makes the software usability more complex and less intuitive (e.g. security configuration is often too complicated to manage).
It is absolutely true that the incorporation of security comes with a cost.
What is Threat Modeling?
Threat modeling is a systematic approach for developing resilient software. It identifies the security objective of the software, threats to it, and vulnerabilities in the application being developed. It will also provide insight into an attacker’s perspective.