Incremental threat modeling: Never try to boil an ocean

Description

Threat modeling, a structured method for identifying weaknesses on architectural level, is an invaluable tool for software architects who want to create secure architectures or check existing architectures for security flaws. However, introducing it on existing complex projects requires time that architects and developers may not have, and not every company can afford a Microsoft-style “security push,” where all new development stops in order to focus on security.

Incremental threat modeling that concentrates on current additions and modifications can be time-boxed to fit the tightest of Agile life-cycles and still deliver security benefits. Irene Michlin introduces a technique for performing threat modeling in ongoing projects without a prohibitive initial time investment.

Full disclosure is necessary at this point—threat modeling is not the same as adding tests to the “ball of mud” codebase and eventually getting decent test coverage. You will not be able to get away with doing just incremental modeling—you must tackle the whole architecture at some point. But the good news is that you will approach this point with more mature skills from getting the practice, and you will get a better overall model with less time spent than if you tried to build it upfront.