Home Docs Tools Papers Talks Contact
¤ B-Sides Portland 2011 Presentation


Most secure development life cycles advocate creating a threat model at design time and updating it as development progresses. Following this advice alone, you will do unnecessary work and receive substantially less benefit than your threat model could provide. Instead, start your threat model at requirements time and use it to select and configure all remaining application-specific secure development activities. Depending on your situation, this could allow you to:

  • Skip or absorb some typically recommended analysis steps (e.g. risk assessment)
  • Look only for what matters during other analysis (e.g. code review and security testing)
  • Build your application more safely (e.g. centralizing the things that would most help the application’s security, protecting 3rd party components)

Attendees will learn what to put into a threat model when, what to get out of a threat model when, and how a threat model should control and feed information to other secure development practices. Those using Agile development styles will particularly benefit, since a threat model-driven secure development lifecycle is phase-agnostic.


Driving Secure Development Using a Threat Model


Copyright © 2004-2008 Brenda Larcom, Eleanor Saitta, and Stephanie Smith. Copyright © 2009-2012 Brenda Larcom and Eleanor Saitta. All rights reserved.