Chapter 3. Threat Modeling Methodologies

So since all models are wrong, it is very important to know what to worry about; or, to put it in another way, what models are likely to produce procedures that work in practice (where exact assumptions are never true).

G. E. P. Box and A. Luceño, Statistical Control: By Monitoring and Feedback Adjustment (John Wiley and Sons)

This chapter introduces some of the many available threat modeling methodologies, highlighting the many facets of the discipline. We discuss our personal views and experiences (and where appropriate, borrow opinions from trusted sources) on these methodologies’ advantages and drawbacks, so you can identify a methodology that may work for you.

Before We Go Too Deep…

It is important to make one point clear from the start: there isn’t a best methodology. A particular methodology will work successfully in some organizations and teams, or for specific technologies or compliance requirements, and yet will completely fail in others. The reasons are as varied as the team’s organizational culture, the people involved in the threat model exercise, and the constraints put upon the team by the current state of the project (which will vary over time).

Consider, for example, a team that begins without security-oriented goals, then evolves to appointing a security champion representing security interests for the whole team, and finally achieves the state in which every developer, architect, and tester has enough security knowledge ...

Get Threat Modeling now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.