Threat Modeling

  1. Validation and Verification
    1. Reviewing the Threat Model
      1. Peer Review Process
        1. Review Checklists
          1. Cross-Disciplinary Reviews
          2. Validating Assumptions
            1. Documenting Assumptions
              1. Testing Assumptions
              2. Ensuring Completeness and Accuracy
                1. Coverage Analysis
                  1. Gap Identification
                2. Tracking and Managing Mitigations
                  1. Creating Security Tickets
                    1. Issue Tracking Systems
                      1. Linking Threats to Tickets
                      2. Assigning Ownership
                        1. Role Assignment
                          1. Accountability Mechanisms
                          2. Verifying Implementation
                            1. Security Testing
                              1. Code Review
                                1. Penetration Testing
                              2. Measuring Success
                                1. Key Performance Indicators
                                  1. Number of Threats Identified
                                    1. Mitigation Completion Rate
                                    2. Reduction in Security Bugs
                                      1. Post-Release Defect Analysis
                                      2. Coverage of Critical Applications
                                        1. Application Inventory
                                          1. Threat Model Coverage Metrics
                                        2. The Feedback Loop and Continuous Improvement
                                          1. Updating the Threat Model
                                            1. Change Management
                                              1. Version Control
                                              2. Learning from Security Incidents
                                                1. Post-Incident Reviews
                                                  1. Incorporating Lessons Learned

                                              Previous

                                              5. Threat Analysis and Risk Assessment

                                              Go to top

                                              Next

                                              7. Integrating Threat Modeling into the Development Lifecycle