• Skip to main content
  • Skip to after header navigation
  • Skip to site footer

JD Meier

Inspiring the world with innovation!

  • About
  • Latest
  • Articles
  • Books
  • Courses
  • Topics
    • Innovation
    • Strategy
    • High-Performance
    • Digital Transformation
    • Agile
    • All Topics
  • Resources
  • Coaching
  • Contact

How I Explain Threat Modeling to Customers

by JD Meier

image

Here’s my trying to explain threat modeling (actually core modeling) to a customer …

My core theme of the modeling is this:

  • Define what good looks like (e.g. objectives)
  • Establish boundaries of good (constraints, goals — what can’t happen, what needs to happen, what’s nice to happen)
  • Identify tests for success (define criteria … entry criteria and exit criteria … how do I know when it’s good enough)
  • Model to play ‘what if’ scenarios before going down long-winded dead ends
  • Identify and prototype the high risk end-to-end engineering decisions (to provide feedback, inform the direction, update the objectives)
  • Use an information model (e.g. the web app security frame — use ‘buckets’ to organize both decomposition as well as package up the principles, practices, and patterns) … another trick here is that the frame encapsulates ‘actionable’ categories … you’re modeling to inform choices and build on other’s knowledge
  • Leverage community knowledge. (The information/model frame also helps leverage community knowledge – you don’t have to start from scratch or be a subject matter expert – to speak to the development, you can use patterns, anti-patterns, code samples)
  • Model just enough to reduce your key risks and make informed decisions (look before you leap)
  • Incrementally render your information (you basically spiral down risk reduction … you identify what you know and what you need to know next
  • Use a set of complimentary activities over a single silver bullet (use case analysis is complimentary to data flow analysis is complimentary to subject object matrix … etc.; threat modeling does not replace security design inspection or code inspection or deployment inspection)

This is the approach I use whether it’s security or performance or any other quality attribute. 

In the case of threat modeling, vulnerabilities are the key. 

These go in your bug database and help scope test.

You Might Also Like

Agile Security Engineering
Agile Architecture Method
Agile Life-Cycle Frame
Agile Performance Engineering
ALM Categories at a Glance
Baking Performance into the Life Cycle
Extreme Programming at a Glance
Scrum at a Glance
Software Methodologies at a Glance
Software Performance Frame
Software Performance Hot Spots
Software Performance Inspections
Waterfall to Agile
What is Agile?

Category: Architecture, Software

About JD Meier

I help leaders change the world.

Previous Post:Model-Driven Approaches
Next Post:Threat Modeling Terms and How To Use Them

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Sidebar

About Me

JD I am J.D. Meier. I help leaders change the world. Learn more...

Popular Articles

10 Things Great Managers Do
40 Hour Work Week at Microsoft
Best Digital Transformation Books
How To Become an Innovator
How To Drive Digital Transformation
How To Lead High-Performance Teams
Innovation Explained
Satya Nadella Quotes
View More...

Become a better leader, innovate better, and achieve greater impact!

I help leaders change the world   As part of your journey, learn how to realize your potential in work and life through the power of creativity, imagination and creative vision. 

Topics

  • Innovation
  • Agile
  • Strategy
  • Leadership
  • Digital Transformation
  • High Performance

Copyright © 2023 · JD Meier · All Rights Reserved