Current approaches to threat modeling emphasize manual analysis, which is typically performed by security-trained teams. This has a high initial cost, both in terms of time and the skills required to perform it. Enterprise environments offer the additional challenge of scaling this activity across thousands of products with a limited number of software security specialists to guide the process. Lack of the necessary security skills is one of the main reasons why many smaller companies never attempt threat modeling in the first place.
Stephen de Vries presents a software-centric threat modeling method that uses architectural risk patterns to greatly speed up the process of generating a threat model and also introduces a degree of consistency between models that is often lacking in purely manual approaches. The method for creating risk patterns employs principals from object-oriented software design such as inheritance and polymorphism so that the contents of the patterns can be practically maintained and extended without unnecessary repetition.
Stephen de Vries is founder of Continuum Security, where he leads product development of the IriusRisk threat modeling tool as well as the BDD-Security open source testing framework, which is used extensively in SecDevOps workflows. Stephen specializes in building software and providing services to secure the SDLC. He has a strong background in web application security, with an emphasis on automated security testing and risk assessment. Stephen has published numerous original research papers and presented at conferences including Blackhat USA/Europe, DevOps Connect, Devoxx, and OWASP, among others. Stephen’s 17 years’ experience in information security has included a broad range of disciplines from software development, security code reviews, and security assessment to risk management and architecture security reviews.
©2016, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • email@example.com