Cybersecurity In-Depth: Getting answers to questions about IT security threats and best practices from trusted cybersecurity professionals and industry experts.

How Does Threat Modeling Work in Software Development?

Threat modeling should be a continuous process alongside development, not a one-time project.

Archie Agarwal, Founder and CEO, ThreatModeler

January 25, 2022

1 Min Read
A wooden posing dummy leans over a keyboard that is wrapped with a padlocked chain
Source: Succo via Pixabay

Question: How does threat modeling work in software development?

Archie Agarwal, founder and CEO, ThreatModeler: Threat modeling is the process of identifying potential threats and taking action to prevent them. We all do this in some form, from buying a better lock for our new bicycle to putting a PIN on our mobile phone.

In the cycle padlock example, a determination is made as to the value of the bike, the likelihood of theft, and the value of investing in a more robust padlock. This is threat modeling – and it is no different in software development. We look at the threat landscape, assessing the likelihood of attack, the value of the asset, and the path a miscreant would take, and put an appropriate control in place to thwart them.

Threat modeling should be included early in the software development life cycle. Sadly, many security practices are reactive and applied at the end instead. Threat modeling is a proactive security practice and should be part of the secure design initiative. In fact, threat modeling is the primary route to secure design.

The benefits of threat modeling early are many. It is far more challenging and resource-intensive to re-engineer security after the fact than it is to weave it into the design and build from the start. Threat modeling should be a continuous process alongside the development process, not a one-time project.

The truth is, threat modeling is natural to us and highly intuitive and approachable. It should be part of every software development process.

About the Author

Archie Agarwal

Founder and CEO, ThreatModeler

Archie Agarwal is the founder, CEO, and Chief Technical Architect of ThreatModeler. He is a Certified Information Systems Security Professional (CISSP) and is SANS GWEB certified. Agarwal has more than 20 years of experience in risk and threat analysis. When he served at WhiteHat Security (now NTT Application Security) as director of education and thought leader, he specialized in threat modeling, security training, and strategic development. He has also held positions at PayCycle (acquired by Intuit), Citi, HSBC, and Cisco.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights