7 threat modeling mistakes you’re probably making

The relative lack of maturity around threat modeling can cause big problems for organizations seeking to adopt the practice to bolster their network and services security.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

The Open Web Application Security Project (OWASP) describes threat modeling as a structured approach for identifying, quantifying and addressing the security risks associated with an application. It essentially involves thinking strategically about threats when building or deploying a system so proper controls for preventing or mitigating threats can be implemented earlier in the application lifecycle.

Threat modeling as a concept certainly isn't new, but few organizations have implemented it in a meaningful way. Best practices for threat models are still emerging says Archie Agarwal, founder and CEO of ThreatModeler Software. "The biggest problem is a lack of understanding of what threat modeling is all about," he says. There are multiple ways to do threat modeling and companies often can run into trouble figuring out how to look at it as a process and how to scale it. "There is still a lack of clarity around the whole thing."

Here, according to Agarwal and others, are seven mistakes you are likely making when doing threat modeling:

1. Being too application centric

One of the most common mistakes that organizations make when building a threat model is to focus only on the application itself, Agarwal says. With threat modeling you should try to understand the overall landscape and not just a single application in isolation, he says.

Consider the infrastructure, the database, shared components, third-party interactions and the deployment environment. Threats can vary based on whether an application is on-premises or is running in the cloud or can be accessed by mobile devices and other computing endpoints.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.