The Threat Assessment (TA) practice focuses on identifying and understanding of project-level risks based on the functionality of the software being developed and characteristics of the runtime environment. From details about threats and likely attacks against each project, the organization as a whole operates more effectively through better decisions about prioritization of initiatives for security. Additionally, decisions for risk acceptance are more informed, therefore better aligned to the business.
By starting with simple threat models and building application risk profiles, an organization improves over time. Ultimately, a sophisticated organization would maintain this information in a way that is tightly coupled to the compensating factors and pass-through risks from external entities. This provides greater breadth of understanding for potential downstream impacts from security issues, tradeoffs, or flaws, while keeping a close watch on the organization’s current performance against known threats.
Overview
| Maturity 1 | Maturity 2 | Maturity 3 |
|---|
| Objective | Best-effort identification of high-level threats to the organization and individual projects. | Standardization and enterprise-wide analysis of software-related threats within the organization. | Proactive improvement of threat coverage throughout the organization. |
Streams
| Maturity 1 | Maturity 2 | Maturity 3 |
|---|
| A basic assessment of the application risk is performed to understand likelihood and impact of an attack. | Understand the risk for all applications in the organization by centralizing the risk profile inventory for stakeholders. | Periodically review application risk profiles at regular intervals to ensure accuracy and reflect current state. |
| Maturity 1 | Maturity 2 | Maturity 3 |
|---|
| Perform best-effort, risk-based threat modeling using brainstorming and existing diagrams with simple threat checklists. | Standardize threat modeling training, processes, and tools to scale across the organization. | Continuously optimization and automation of your threat modeling methodology. |
