You lead an integrated product team to develop a software solution. Which of the following is incorrect about threat modeling? (Wentz QOTD)
A. Threat modeling emphasizes identifying and addressing design flaws before coding.
B. Ideally, threat modeling is applied as soon as an architecture has been established.
C. Threat modeling should be conducted in the initiation phase as mentioned in the NIST SDLC.
D. The express aim of threat modeling is to identify and eliminate architectural and design issues.
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Threat modeling should be conducted in the initiation phase as mentioned in the NIST SDLC.
Wentz’s book, The Effective CISSP: Security and Risk Management, helps CISSP and CISM aspirants build a solid conceptual security model. It is a tutorial for information security and a supplement to the official study guides for the CISSP and CISM exams and an informative reference for security professionals.
We employ the software development life cycle instead of the system development life cycle in software development. Both share the same acronym SDLC but tend to be confusing. They are applied in different contexts and have different scopes. In our peacock model, a metaphor for an information system, the software is just one of the constituent elements of an information system. Moreover, we authorize an information system to operate instead of the software itself. The central theme of the NIST SDLC is an information system. As a result, applying the system SDLC to direct software development is inappropriate. For example, NIST SP 800-218 (draft) explicitly distinguishes the software development life cycle from the system development life cycle as follows:
Note that SDLC is also widely used for “system development life cycle.” All usage of “SDLC” in this document is referencing software, not systems.
Threat Modeling
We all agree that security needs and requirements should be addressed across the life cycle and as early as possible. It’s not uncommon for people to argue that threat modeling should be conducted in the beginning of a software development project. However, most threat modeling approaches focus on addressing design issues:
Threat modeling is a core activity and a fundamental practice in the process of building trusted technology; it has been identified as one of the best “return on investment” activities with respect to identifying and addressing design flaws before their implementation into code. It aims to identify the attacks a system must resist and the defenses that will bring the system to a desired defensive state.
The express aim of threat modeling is to identify and eliminate design issues: to identify security weaknesses or arrive at a set of security needs that must be built.
Source: SAFECode
Reference
- NIST SP 800-218 V1.1 (draft)
- SDL That Won’t Break the Bank
- Fundamental Practices for Secure Software Development
- Tactical Threat Modeling
- Simplified Implementation of the Microsoft SDL
您帶領一個集成產品團隊開發軟件解決方案。 以下關於威脅建模的說法不正確的是? (Wentz QOTD)
A. 威脅建模強調在編碼之前識別和解決設計缺陷。
B. 理想情況下,一旦建立了架構,就會進行威脅建模。
C. 威脅建模應在 NIST SDLC 中提到的初始階段進行。
D. 威脅建模的明確目標是識別和消除架構和設計問題。