Evolving Threat Modeling for Agility and Business ValueIn the early days, threat modeling was much simpler and based on systems where threat vectors against the system were well-known. But in today’s DevSecOps world, things look quite different.
We have highly distributed systems where the emphasis is largely on component aggregation rather than ground up coding. Execution and control flow are not always predictable through the system. It means we require the expertise of scarce security experts and architects to threat model effectively. Therefore, aspects like security tend to be considered as a cost, to be best covered by automated tools and processes, designed with the main intent of reducing impact on development.
Report Snap Shot
This paper focuses on threat modeling from a general perspective, without delving into a specific methodology. The considerations and recommendations collected here should therefore be applicable to most approaches.