It’s tough to come up with effective ways to defend your organization against cyberthreats if you don’t know what they’re likely to be. As the 5th Century Chinese General Sun Tzu, put it in The Art of War, to defeat your enemy you have to “know your enemy.”
That’s why threat modeling should be mandatory—to mitigate threats, you need to know what they are.
And that’s why Black Duck has created a whitepaper titled, “Threat Modeling, Decoded.” Its goal is to help security teams understand an attacker’s mindset and the specific threats those attackers pose.
Chris Cummings, principal consultant at Black Duck and coauthor of the whitepaper, says there is general agreement in the cybersecurity industry on the five necessary steps to create a useful threat model. They are scoping, data gathering, system model, attack model, and risk analysis. But different providers offer different methodologies to complete those steps, and the process can be tailored to an organization’s individual needs to help it set priorities and provide the most protection to what it values most.
In this, the first of four AppSec Decoded conversations, Cummings and Taylor Armerding, security advocate at Black Duck, talk about the first two steps in threat modeling—scoping and data gathering.