If an organization was to conduct a survey about its Threat Modeling program what are the top 5 things that the survey must aim to ask?
Say, the stakeholders for this survey would be the application architects & managers.
If an organization was to conduct a survey about its Threat Modeling program what are the top 5 things that the survey must aim to ask?
Say, the stakeholders for this survey would be the application architects & managers.
Hi
For an existing program, I’d ask:
Again, every question has tons of hidden assumptions on the maturity of your program and the team topologies.
It’s
the answer to that question highlights whether models are effective.
That metric can also be used to determine the effectiveness of those responsible for leading modelling (security architects, security champions, whomever). Most of the measures of security people doing secure design, I find pretty meaningless because project size and complexity vary, dev teams vary in their capacity and skill to define needed security, all of which make things like Total Security Requirements or number of projects worked and the like, meaningless.
But, effective security practitioners know how to get security items built! That single metric can only come about when:
Not exactly 1 number to ‘rule them all’, but certainly one very useful number
Hi
Hi
From what I have seen working with many organization, there seems to be a lack of unified vision around threat modeling outputs and then when there is, there hasn’t been much gap analysis provided to determine if or how we might actually create that output. In light of that, this would be my top five.
Was there a specific topic you were hoping to explore with your survey?
Here’s what I ask as I get into a new TM. If I made a survey post-TM, I’d want to know those things happened. So here’s my top 5:
1) Did you have everything you needed to make a successful TM? If not, what were you missing?
2) Do you feel the TM improved the security of your product/design?
3) What is something you learned in the TM process?
4) What aspect of the TM took you the longest to complete? How could that time have been shortened?
5) On a scale of 1 to 10, how would you rate your TM?
Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.
Create an accountEnter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.