CHAPTER 4THREAT MODELING WITHIN THE SDLC

BUILDING SECURITY IN SDLC WITH THREAT MODELING

“Proactively identifying risks is one of the main benefits of threat modeling. Rather than waiting for something bad to happen and waiting for the risk to be realized it means taking control of risks and making risk informed decisions in advance and initiate design changes ahead of a future deployment of the application. But a lot of businesses out there don't see the return on investment, they look at it as a liability, and until they can understand that proactive security actually returns, gives them a return on investment, it's still a hard sell for people.”

Kevin Mitnick

Application and software are complimentary; software is what applications are made of. Applications are engineered by following a Software Development Life Cycle (SDLC) process that encompasses different phases such as software functional requirements, software design, coding, building the software to an executable, integration with other software libraries, and building to create an executable, functional, quality testing.

Rationale for Building Security in the SDLC

Historically, security in software has been mostly considered as a requirement to be validated with functional testing that usually takes place during the last phase of the SDLC. Any security issues that would have been identified at that stage, such as common vulnerabilities, requires implementing a fix for the issue, testing and release of either a patch ...

Get Risk Centric Threat Modeling: Process for Attack Simulation and Threat Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.