The Threat Assessment (TA) practice focuses on identifying and understanding of project-level risks based on the functionality of the software being developed and characteristics of the runtime environment. From details about threats and likely attacks against each project, the organization as a whole operates more effectively through better decisions about prioritization of initiatives for security. Additionally, decisions for risk acceptance are more informed, therefore better aligned to the business.
By starting with simple threat models and building application risk profiles, an organization improves over time. Ultimately, a sophisticated organization would maintain this information in a way that is tightly coupled to the compensating factors and pass-through risks from external entities. This provides greater breadth of understanding for potential downstream impacts from security issues while keeping a close watch on the organization’s current performance against known threats.
|Maturity level||Stream AApplication Risk Profile||Stream BThreat Modeling|
|1||Best-effort identification of high-level threats to the organization and individual projects.||A basic assessment of the application risk is performed to understand likelihood and impact of an attack.||Perform best-effort, risk-based threat modeling using brainstorming and existing diagrams with simple threat checklists.|
|2||Standardization and enterprise-wide analysis of software-related threats within the organization.||Understand the risk for all applications in the organization by centralizing the risk profile inventory for stakeholders.||Standardize threat modeling training, processes, and tools to scale across the organization.|
|3||Proactive improvement of threat coverage throughout the organization.||Periodically review application risk profiles at regular intervals to ensure accuracy and reflect current state.||Continuously optimization and automation of your threat modeling methodology.|