Questions on threat modelling
1)How to Integrate threat modelling into jira work flows?2)How/where to store the threat models so that can be easily be reviewed for future reference?In my experience diagrams/pdfs become obsolete and no one views them in the future?3)How to ensure all threats are covered ? How to know that we have threat modelled enough?4)How is threat modelling different from a secure design review ?
NPS for threat modeling
Hello everyone!I am searching for ideas or experiment feedback on how to gather a sort of TM “NPS score” as a measure on how well or not we’re doing with our engineering teams. Hint: Sending MS Forms surveys don’t really work.Looking past the “number of threat models performed”, “number of security work items opened” (and maybe never worked on), etc… how would you measure the actual value that is brought (or not) to various engineering teams as you educate/have them perform threat modeling?As I am endeavoring in some development work to create a custom Azure DevOps extension for NFRs to bring stuff in-band of engineering teams (and ensure something more cyclic too), I have some rough ideas, but would like to open the question to the experts :)Thanks!
Question on reddit: Threat Modeling sometimes not the best option for adressing security? Request for comments
Sharing this from a post by u/RoAmbk on r/threatmodeling, I thought it would be good to get this community’s input.Hi,I sometimes need to help projects in the web/cloud domain, some of them are green field projects. Threat modeling is a vital part of the SSDLC of these projects. On the other hand, there are guidelines like OWASP Top 10, OWASP ASVS, and many more that can help getting to a certain security level.I prefer to first follow guidelines and only after these have been assessed, perform threat modeling to detect risks and mitigate them.I had the experience that putting threat modeling before assessing a guideline is not as effective for these kind of projects.On the other hand, threat modeling is best when assessing a very custom solution like an embedded system with networked and legacy components.Do you have some thoughts and comments? I would be very interested in your opinion.Thank you What do you think? (source: https://www.reddit.com/r/threatmodeling/comments/10xaxsm/thre
Threat Models in SBOMs
SBOMs are a critical part to helping secure the software supply chain. Having a catalogue of libraries and components in an SBOM is obviously the key element of this, so that it can be queried by security tools to identify known vulnerabilities. So far so good. I can’t help thinking that including a threat model in the SBOM would help to provide some additional context about the security decisions made by the vendor. What I mean is that as a software vendor, I choose my third party components and include them in my software. When I do that, I may make some security decisions such as including a library with a known vulnerability because I know that we don’t use that library in a way that exposes the vulnerability. A threat model would be a way for me to communicate this to readers of my SBOM.What do the SBOMmers think of this? Has any work been done in the area of marrying threat modeling and SBOMs?
How do you define the success criteria for threat modeling?
How do you determine the “success” of a threat model program? Is there any Key Performance Indicators you’re using?It is not just the # of threat models created or # of threats reported, but the impact it makes. I’m curious how the community measures the impact of a threat model?
🔔 Stay connected
Start a conversation
Join the community
Already have an account? Login
Create your account
Not a member yet? Become a member to join forum discussions, participate in community events and apply to write articles.Create an account
Log in with LinkedIn
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.