What does good security look like to you?
I was in a sprint review this week reviewing stories, one of which was "As a developer, I want our applications to be secure". What does that mean? Is every conceivable security hole fixed? Every vulnerability patched, including low severity?
That's a lot of effort for marginal gain - would that be going too far?
Security is of course a spectrum - it depends on the context. Is your business regulated? Do you gather personal data? Are you tied to older technology, such as SWIFT, SCADA or SS7? Do you host critical national infrastructure? These questions drastically change what "secure" means for you.
In software, it's widely accepted that clear requirements are needed for quality software, and unclear requirements tend to lead to bad software and more time spent reworking things.
In my experience working with engineering teams over a number of years and across a number of sectors and verticals, I've found that in security it is just the same: clear needs from the business leads to better security culture and a better security posture. And saved effort.
Let me explain.
If you know the threats your organisation faces, the risks they pose and how to mitigate those risks, should you choose to, that's good for security. Some risks must be accepted, either in the short-term or long-term. By knowing that risk position and being able to improve where desired, I find my customers get better results.
There are many ways of capturing threats, and risks and how you deal with those. In my experience, the best model is by far the threat model.
A threat model combines all the key information in one place. It's easy to create and serves as a live view of the security posture of any system or business process. This simple formula delivers many benefits: as a communication tool, as a risk management tool, as a planning tool and as a foundation of a DevSecOps programme.
If you would like to know more about the benefits threat modelling could bring to your specific circumstances and want to dip your toe in the water, get in touch with me to discuss your situation and do a small threat model with your team.
I helped customers get fantastic results by getting this crucial part of their security right. They've gained more clarity, a stronger security culture and better cohesion between engineering and security teams (and, of course, a happier end customer with a more secure product).
In these times more than ever every business needs to know what to secure, how to secure it and how far to go. Threat models give a great framework to chart the course to success so your business can carry on focussing on what it does best, rather than getting bogged down in security incidents and uncertainty about security vulnerabilities.