Threat modeling is one of the first key steps to helping an organization protect its applications, systems, and networks. It is preached at security conferences every year: To protect your digital assets, you need to know what they are, their value, and how malicious attackers are likely to try to compromise them.
A recent white paper titled “Threat Modeling, Decoded” by Synopsys guides organizations through the threat modeling process, which includes five steps—scoping, data gathering, system modeling, attack modeling, and risk analysis. Those steps can be adapted to meet the needs of an organization.
Chris Cummings, principal consultant at Synopsys and coauthor of that white paper, emphasizes that understanding the threats organizations face helps them address those threats more intentionally and efficiently.
In two previous AppSec Decoded episodes, Cummings and Taylor Armerding, security advocate at Synopsys, discussed scoping, data gathering, and creating the system model.
In this, the third of four conversations, they focus on Step 4—what it takes to create a useful attack model.