Threat Modeling

7.

Integrating Threat Modeling into the Development Lifecycle

7.1.

Threat Modeling in Different Methodologies

7.1.1.

7.1.1.1.

Threat Modeling in Design Phase

7.1.1.2.

Handoffs to Implementation

7.1.2.

Agile and Scrum

7.1.2.1.

Threat Modeling in Sprints

7.1.2.2.

Backlog Integration

7.1.3.

7.1.3.1.

Continuous Threat Modeling

7.1.3.2.

Automation Opportunities

7.2.

Timing the Threat Modeling Activities

7.2.1.

During Design and Architecture Phase

7.2.1.1.

Initial Threat Model Creation

7.2.1.2.

Design Review Integration

7.2.2.

During Sprint Planning

7.2.2.1.

User Story Threat Analysis

7.2.2.2.

Acceptance Criteria for Security

7.2.3.

As a Continuous Activity

7.2.3.1.

Ongoing Updates

7.2.3.2.

Integration with Change Management

7.3.

Roles and Responsibilities

7.3.1.

Security Champions

7.3.1.1.

Advocacy and Training

7.3.1.2.

7.3.2.

Developers and Engineers

7.3.2.1.

Model Creation and Maintenance

7.3.2.2.

Implementing Mitigations

7.3.3.

7.3.3.1.

System Design Oversight

7.3.3.2.

Threat Model Review

7.3.4.

Security Professionals

7.3.4.1.

Facilitation and Guidance

7.3.4.2.

Risk Assessment

7.3.5.

7.3.5.1.

Prioritization of Security Work

7.3.5.2.

Stakeholder Communication

Previous

6. Validation and Verification

Go to top

Next

8. Domain-Specific Threat Modeling