Sharing this from a post by u/RoAmbk on r/threatmodeling, I thought it would be good to get this community’s input.
I sometimes need to help projects in the web/cloud domain, some of them are green field projects. Threat modeling is a vital part of the SSDLC of these projects. On the other hand, there are guidelines like OWASP Top 10, OWASP ASVS, and many more that can help getting to a certain security level.
I prefer to first follow guidelines and only after these have been assessed, perform threat modeling to detect risks and mitigate them.
I had the experience that putting threat modeling before assessing a guideline is not as effective for these kind of projects.
On the other hand, threat modeling is best when assessing a very custom solution like an embedded system with networked and legacy components.
Do you have some thoughts and comments? I would be very interested in your opinion.
What do you think?
Sharing my thoughts on the question: indeed getting started on security can be a challenge, there are a lot of things that you are supposed to do. Though, I would consider a) is it a one-time activity and a specific project or more about setting up a general process and b) is it something you are doing for yourself (your own project) or attempt to build up with a variety of teams.
I tend to start with TM first, when it is about working with teams and envision it to become a lived process instead of a one-time activity. OWASP guideline can be a good guide for a development team to consider itself the basics. Though, injecting a work model to a team is first about understanding their specifics need and their way of working. Coming with a standard in the first place may result in resistance. The beauty of TM is that you have the chance to learn the team culture and the specifics (and needs) of their application and the team members.
These activities find different problems. Guidelines and checklists are great for “known knowns”, threat modelling can get you into other quadrants too.