Journals & Magazines >IEEE Security & Privacy >Volume: 9 Issue: 4

Developer-Driven Threat Modeling: Lessons Learned in the Trenches

Download PDF
Download References
Request Permissions
Save to
Alerts

Abstract:

This article describes EMC/s real-world experiences with threat modeling, including major challenges encountered, lessons learned, and a description of the company's curr...Show More

Metadata

Abstract:

This article describes EMC/s real-world experiences with threat modeling, including major challenges encountered, lessons learned, and a description of the company's current developer-driven approach. Threat modeling is a conceptual exercise in which we analyze a system's architecture or design to find security flaws and reduce architectural risk.

Published in: IEEE Security & Privacy ( Volume: 9, Issue: 4, July-Aug. 2011)

Page(s): 41 - 47

Date of Publication: 12 May 2011

ISSN Information:

DOI: 10.1109/MSP.2011.47

Contents

A Developer-Driven Threat-Modeling Process

In 2007, EMC began efforts to roll out threat modeling as an integral part of its secure software development processes. The intent was to address security better and embed security considerations into software design processes and throughout the corporation's culture. The threat-modeling process at EMC has evolved over the past few years and currently involves •

creating an annotated dataflow diagram;

•

identifying and analyzing threats, guided by a threat library;

•

assessing threats' technical risk; and

•

mitigating threats to reduce risk.

Developer-Driven Threat Modeling: Lessons Learned in the Trenches

Abstract:

Metadata

Abstract:

ISSN Information:

A Developer-Driven Threat-Modeling Process

IEEE Account

Purchase Details

Profile Information

Need Help?

Developer-Driven Threat Modeling: Lessons Learned in the Trenches

Alerts

Abstract:

Metadata

Abstract:

ISSN Information:

A Developer-Driven Threat-Modeling Process