7 threat modeling mistakes you’re probably making

The relative lack of maturity around threat modeling can cause big problems for organizations seeking to adopt the practice to bolster their network and services security.

iot threats security

What is threat modeling?

Threat modeling, according to OWASP, is a structured approach for identifying, quantifying and addressing the security risks associated with an application. It essentially involves thinking strategically about threats when building or deploying a system so proper controls for preventing or mitigating threats can be implemented earlier in the application lifecycle.

Threat modeling as a concept certainly isn't new, but few organizations have implemented it in a meaningful way. Best practices for threat models are still emerging says Archie Agarwal, founder and CEO of ThreatModeler Software. "The biggest problem is a lack of understanding of what threat modeling is all about," he says. There are multiple ways to do threat modeling and companies often can run into trouble figuring out how to look at it as a process and how to scale it. "There is still a lack of clarity around the whole thing."

Here, according to Agarwal and others, are seven mistakes you are likely making when doing threat modeling:

1. Being too application centric

One of the most common mistakes that organizations make when building a threat model is to focus only on the application itself, Agarwal says. With threat modeling you should try to understand the overall landscape and not just a single application in isolation, he says.

Consider the infrastructure, the database, shared components, third-party interactions and the deployment environment. Threats can vary based on whether an application is on-premises or is running in the cloud or can be accessed by mobile devices and other computing endpoints.

To continue reading this article register now

21 best free security tools to make your job easier