What is Threat Modelling ?

Threat modelling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.

Threat modelling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, things in the internet of things, business processes, etc. There are very few technical products which cannot be threat modelled; more or less rewarding, depending on how much it communicates, or interacts, with the world. Threat modelling can be done at any stage of development, preferably early - so that the findings can inform the design.

What

Most of the time, a threat model includes:

  • A description / design / model of what you’re worried about

  • A list of assumptions that can be checked or challenged in the future as the threat landscape changes

  • A list of potential threats to the system

  • A list of actions to be taken for each threat

  • A way of validating the model and threats, and verification of success of actions taken

 

Our motto is: Threat modelling: the sooner the better, but never too late.

Why

The inclusion of threat modelling in the SDLC can help

  • Build a secure design

  • Efficient investment of resources; appropriately prioritize security, development, and other tasks

  • Bring Security and Development together to collaborate on a shared understanding, informing development of the system

  • Identify threats and compliance requirements, and evaluate their risk

  • Define and build required controls.

  • Balance risks, controls, and usability

  • Identify where building a control is unnecessary, based on acceptable risk

  • Document threats and mitigation

  • Ensure business requirements (or goals) are adequately protected in the face of a malicious actor, accidents, or other causes of impact

  • Identification of security test cases / security test scenarios to test the security requirements

To summarise, every device connected to a network should ideally have  a threat model created.  Contact us to to discuss any concerns that you have with any of your products...

©2019 by Oddfellows Services Ltd t/a OFS.

Registered in England Number 11987380

Registered Office : International House, 24 Holborn Viaduct, London, EC1A 2BN, London, United Kingdom.

Email : operations@ofsec.co.uk

Telephone : +44 (0) 203 787 4785