“Security is a continuous process.”
With the advent of the GDPR the question “Is your web application secure?” is almost part of a standard checklist. “Yes, our firm is an expert in software security” is clearly not the right answer. Especially when you do get breached. “No” is obviously also not the best choice of words.
100% security doesn’t exist. Security is difficult if not impossible to objectively quantify. The right approach is to leverage the so-called “security by design” where security is introduced early during the requirements analysis.
The discipline of threat modeling exists for quite some time. However it has gained quite some traction in the past years largely thanks to STRIDE and LINDDUN frameworks. The essence of threat modeling is to look into the set of all the possible threats. Once we have discovered the threats we come up with countermeasures in order to reduce the likelihood and the impact of the threats (i.e., the risk).
Security by design is all about threat modeling early (during requirements analysis phase) in the software development lifecycle.
Threat Modeling Tool
For the past months we have been working very hard at creating the most pragmatic, yet powerful threat modeling tool that will allow various stakeholders describe in a systematic fashion the most feared security and privacy events. A prototype version of the tool has been released for internal use.
We attach some screenshots from the tool. Contact us if you have the urgent interest to have an evaluation license for the tool.