- Donald E. Hester
Application Security is vital, it is not enough to implement firewalls and anti-virus. Applications need to be protected and one of the best ways to protect them is to code them securely. Threat modeling is a very important part of the Security Development Lifecycle (SDLC). Below are some helpful tools and information on effective threat modeling for developers and testers.
OWASP has a wiki on Threat Modeling Here
STRIDE is a threat modeling framework for applications. This can be used to help coders model threats and determine the risk of an application or part of an application. Larry Osterman a Microsoft developer has been an advocate and written on the process for a number of years. A list of Osterman’s threat modeling posts are located on the Microsoft Secure Blog along with the chart.
Microsoft has recently release the Microsoft Threat Modeling Tool 2016 to help model out the threats. You can read more on how the tool can help and download it here.
Microsoft Secure Blog | Download | Microsoft Patterns & Practices Threat Modeling
CERT has a risk management methodology that includes threat modeling called OCTAVE.