If an organization was to conduct a survey about its Threat Modeling program what are the top 5 things that the survey must aim to ask?
Say, the stakeholders for this survey would be the application architects & managers.
Already have an account? Login
Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.
@preethisampath! Thank you for the question :) To help clarify, would you mind sharing a bit more context: what’s the intent of the survey? In other words, what would you like to find out from the survey? Also, where and how do you envision to leverage the survey results? Having the context will help other members share input that better addresses your needs 😊
For an existing program, I’d ask:
Again, every question has tons of hidden assumptions on the maturity of your program and the team topologies.
@irene221b ‘s last question that I find most useful: what actually got built as a result of a model?
the answer to that question highlights whether models are effective.
That metric can also be used to determine the effectiveness of those responsible for leading modelling (security architects, security champions, whomever). Most of the measures of security people doing secure design, I find pretty meaningless because project size and complexity vary, dev teams vary in their capacity and skill to define needed security, all of which make things like Total Security Requirements or number of projects worked and the like, meaningless.
But, effective security practitioners know how to get security items built! That single metric can only come about when:
Not exactly 1 number to ‘rule them all’, but certainly one very useful number
@preethisampath! Thank you for the question 🙂 To help clarify, would you mind sharing a bit more context: what’s the intent of the survey? In other words, what would you like to find out from the survey? Also, where and how do you envision to leverage the survey results? Having the context will help other members share input that better addresses your needs 😊
@Shuning, the idea is to take an end user survey to gauge the impact of Threat Modeling on applications. This will help to identify pain points and come up with ways to improve the program
From what I have seen working with many organization, there seems to be a lack of unified vision around threat modeling outputs and then when there is, there hasn’t been much gap analysis provided to determine if or how we might actually create that output. In light of that, this would be my top five.
Was there a specific topic you were hoping to explore with your survey?
Here’s what I ask as I get into a new TM. If I made a survey post-TM, I’d want to know those things happened. So here’s my top 5:
1) Did you have everything you needed to make a successful TM? If not, what were you missing?
2) Do you feel the TM improved the security of your product/design?
3) What is something you learned in the TM process?
4) What aspect of the TM took you the longest to complete? How could that time have been shortened?
5) On a scale of 1 to 10, how would you rate your TM?