Shostack + Friends Blog

 

LeanAppSec Announcement

Watch a masterclass in effective security processes Thumbnail from the event

Let’s be honest. Threat modeling has something of a bad rap.

The typical AppSec "process" is a predictable tragedy: we develop software, run it through a pen test at the last minute, and—gasp—discover "oh my gosh there's big problems." Then come the ugly escalations and missed schedules.

It’s an inefficient, expensive way to build technology. And in a time of budget cuts and shrinking headcount, it's just not sustainable.

Rethinking this dynamic was the focus of Adam's recent session, "The Four Question Framework for Threat Modeling". He argued that threat modeling isn't the slow, heavy process critics claim; it’s the key to actually "measuring twice and cutting once" for security.

If you missed it, here are two takeaways. You'll need to listen to the full episode to find a third lesson that works for YOUR organization :)

1. The Four Question Framework (Stop Overcomplicating It)

Adam argued that all effective threat modeling boils down to a simple Four Question Framework:

  • What are we working on?
  • What can go wrong?
  • What are we going to do about it?
  • Did we do a good job?

From engineers to C-suite, this framework creates a common language for everyone. Adam noted how tools like STRIDE aren't "old and tired"; they're a "proven classic" for helping you answer "What can go wrong?" in a structured, repeatable way.

2. It's a "Dial," Not a "Switch"

If you want to reply to anyone who is still convinced that threat modeling is "too slow", listen to Adam's response. When asked if threat modeling should be done for every feature, Adam's answer was "Yes and yes," but with a critical nuance.

Threat modeling is a "dial, not a switch."

You don't need a 100-page report for every user story. For most features (he estimated 60-90%), the "threat model" is simply stating, "We considered security and believe this story has no security impact." That's it. You only turn the dial up for the features that actually introduce new risks. This lean approach stops teams from gaming the system and actually integrates security thinking into the daily workflow.

3. Find YOUR Third!

If you've enjoyed these high-level takeaways, make sure to check out the full episode at LeanAppSec. Thank you to the LeanAppSec team and especially Jenn Gile for facilitating.

Originally published by Kris on 22 Oct 2025
Last updated on 23 Oct 2025
Categories:   security   threat modeling   software engineering