Modeling a Web Application.md - Juan-bit94/Ops401D10 GitHub Wiki

Modeling a Web Application

Why does this topic matters?

  • This topic matters because it enables organizations to proactively identify and mitigate potential security risks and vulnerabilities in their software applications.
  • When these issues are addressed early in the development lifecycle, organizations can reduce the likelihood of security breaches and minimize their impact.

Explain threat modeling using real-world non-technical examples.

  • I would say that threat modeling is like the service Carfax. Carfax gives you a vehicle history report, these reports contain information about a vehicles past and other data points such as mileage and whether or not its been reported stolen.
  • Carfax and threat modeling helps people and organizations to identify, communicate and understand threats to protect something valuable.
  • Carfax protects people's car purchasing and threat modeling protects software and applications via information.

What are the four questions that can help us organize threat modeling?

  • The four questions are as follows
    1. What are we working on?
    2. What can go wrong?
    3. What are we going to do about it?
    4. Did we do a good job?

You are the project lead for a new application. How would you explain the benefits of Threat Modeling to the rest of the team?

  • I would explain to my team that threat modeling offers valuable benefits to our endeavors or systemic process by systematically identifying potential security threats and vulnerabilities early on.
  • I would express how we can significantly reduce the overall risk exposure of our application, systems, or software. And we can save time and resources while enhancing security.
  • By implementing this proactive approach, we comply with industry regulations, but also instill confidence in stakeholders and improves our ability to meet customer needs efficiently.
  • In the end, integrating threat modeling into our development lifecycle streamlines the process, enabling us to deliver a more secure and reliable product to market while avoiding costly delays and rework.

Things I want to know more about

  • I would like to know more about the various threat modeling methodologies such as STRIDE, DREAD, PASTA, and VAST.
  • I would also like to know more about the strategies for facilitating collaboration among cross-functional teams during the threat modeling process. Kind of like a how to guide on engaging developers, security professionals, and other stakeholders effectively.