Threat modeling: better caught than taught

Chris Romeo
Chris Romeo
CEO & Co-Founder

Everyone wants their engineering staff to be better at threat modeling. Security teams desire a world where developers practice a threat modeling mindset. A threat modeling mindset is where threat modeling is no longer a process or a tool but is instead a way of life. When developers embrace this mindset, they see threats jump off the page in both diagrams and code. They hear peers discussing a potential solution, and they can articulate the security challenges that such an approach will cause.

There are different approaches that security teams try when beginning threat modeling. One method is for a central security team to perform all the threat modeling. The challenge with this approach is scalability; as soon as you grow beyond a single pizza's worth of developers, you need a large security team to keep up.Another approach is to solve threat modeling with tools. Regardless of the tool, developers will struggle using the tool without the knowledge for successful deployment. Tools are great but come later in the maturity of threat modeling.The best methodology for threat modeling at scale is the "caught not taught" method. With "caught not taught," the premise is that the only way to truly grasp threat modeling is by performing threat modeling. Instead of spending hours lecturing on STRIDE versus PASTA, take a small group of developers into a room, and ask one of them to draw a picture on the board of the current feature they are building. Begin to ask leading questions about the things you see jump off the board. Teach them how to threat model by performing threat modeling.For threat modeling to grow, you must magnify your efforts. Spend time with that small group of developers until they reach the early stages of the threat modeling mindset, and then ask them to replicate the idea with groups of their own. In no time, you’ll have an entire organization embracing a security mindset through threat modeling.

Share on social media: 

More from the Blog

Application Security and the Zen of Python

The Zen of Python's source code is a string scrambled with Caesar’s cipher returned from a one-line iterator over an ASCII dictionary. Many coding languages today pay homage to it. Let's apply the Zen of Python to application security.

Read Story

How Performance Became the Nemesis of the Secure Python Code

Nothing forecasts the future of a programming language better than the epos of its community. For Python, one word dominates the discussions of the past few years: performance.

Read Story

Why Vulnerability List Methodologies Matter (And why we trust CWE & OWASP)

Application security lists, like the CWE Top 25 and Owasp Top 10, help focus on specific weaknesses or vulnerabilities within your system. But, do you understand their approach to ranking? If not, can you really trust them? Some vulnerability list ranking methodologies bias one aspect of security over another, and some may not work with partially unknown vulnerabilities. 

Read Story

More from the Blog

How Performance Became the Nemesis of the Secure Python Code

Nothing forecasts the future of a programming language better than the epos of its community. For Python, one word dominates the discussions of the past few years: performance.

Read Story

Why Vulnerability List Methodologies Matter (And why we trust CWE & OWASP)

Application security lists, like the CWE Top 25 and Owasp Top 10, help focus on specific weaknesses or vulnerabilities within your system. But, do you understand their approach to ranking? If not, can you really trust them? Some vulnerability list ranking methodologies bias one aspect of security over another, and some may not work with partially unknown vulnerabilities. 

Read Story

Be afraid of the Ruby on Rails Supply Chain

As the complexity of applications increases, so does your reliance on open source and third-party software libraries. With the compounded usage of open source, an expansion of the attack surface is underway. The increased threat is evident in recent high-profile attacks targeting the software supply chain. These types of attacks threaten organizations indirectly by targeting third-party vendors that provide you with software. Can you vouch for the security state of every library in your Rails applications? 

Read Story
Need more information about Security Journey? Get in touch

Ready to start your journey?

Free Demo