Threat modeling is designed to provide this systematic approach, with the aim of finding and addressing issues early in the design process, when the mitigations have a low relative cost compared to later in the lifecycle. Instead, you need a systematic approach to enumerate the potential threats to the workload, and to devise mitigations and prioritize these mitigations to make sure that the limited resources of your organization have the maximum impact in improving the overall security posture of the workload. This complexity and number of use-case permutations typically makes it ineffective to use unstructured approaches to find and mitigate threats. This means that IT design decisions need to account for an ever-increasing number of use cases, and be made in a way that mitigates potential security threats that may lead to business-impacting outcomes, including unauthorized access to data, denial of service, and resource misuse. IT systems are complex, and are becoming increasingly more complex and capable over time, delivering more business value and increased customer satisfaction and engagement. Let’s start with a primer on threat modeling. Furthermore, I’ll also provide some guidance specific to when you’re using Amazon Web Services (AWS). However, the main aim of this post is to augment the existing guidance with some additional tips on how to handle the people and process components of your threat modeling approach, which in my experience goes a long way to improving the security outcomes, security ownership, speed to market, and general happiness of all involved. There are many great guides on how to perform the procedural parts of threat modeling, and I’ll briefly touch on these and their methodologies. In this post, I’ll provide my tips on how to integrate threat modeling into your organization’s application development lifecycle. February 14, 2022: Conclusion updated to reference the companion “How to approach threat modelling” video session.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |