Skip to main content

Posts

Showing posts from June, 2022

Threat Model Maturity model

 Achieving a difficult goal like having a useful, always updated Threat Models requires resources and a good strategy. Requires also to divide the big challenge in smaller step, assess progress and, in the first place define the ultimate goal. To perform those activities a maturity models is the right tool. It defines the goal as the target maturity. It also defines a series to intermediate goals in the form of lower to higher maturity targets, and is fundamental to assess the advancement and the overall quality/maturity of the Threat Models. There are some great maturity models, for example OWASP SAMM, that helps assessing the maturity of different practices across secure development lifecycle (https://owaspsamm.org/model/design/threat-assessment/).  I've personally worked on them with great results. But the granularity and details of the parameters to assess the maturity of secure design and threat model is not enough for defining a specific strategy for successfully Threat Model