Sharing this from a post by u/RoAmbk on r/threatmodeling, I thought it would be good to get this community’s input.
Hi,
I sometimes need to help projects in the web/cloud domain, some of them are green field projects. Threat modeling is a vital part of the SSDLC of these projects. On the other hand, there are guidelines like OWASP Top 10, OWASP ASVS, and many more that can help getting to a certain security level.
I prefer to first follow guidelines and only after these have been assessed, perform threat modeling to detect risks and mitigate them.
I had the experience that putting threat modeling before assessing a guideline is not as effective for these kind of projects.On the other hand, threat modeling is best when assessing a very custom solution like an embedded system with networked and legacy components.
Do you have some thoughts and comments? I would be very interested in your opinion.
Thank you
What do you think?