I came across an article that I can’t seem to find again. It asked if threat modeling should be a mandatory practice. We might all want to agree that it should (as we are a threat modeling community). However, I don’t believe the answer is binary. I think there is a spectrum that the answer lies on, and every organization has its point on that spectrum that they will be at that will evolve at some rate.
I’d love to discuss everyone’s thoughts on this subject. Maybe a specific practice worked at one place but didn’t work at another.
Also, something I think is interesting. Does trending threat modeling toward being mandatory help define a mature threat modeling process?