The Four Question Framework for Threat Modeling takes a deep look at the specific design of the Four Questions. The questions provide a framework and language for effective threat modeling, and have been called "deceptively simple."
Inherent Threats: Clarifying a property of threats, our latest whitepaper, is now available, showing how some threats being inherent to a system changes how we address “What are we going to do about that threat?”
For example, a money-moving app can be used to move money to the wrong place, at the wrong time, or in the wrong amount. Those are inherent dangers of such an app, and the way we mitigate them is different than an accidental use of files in a shared directory.
Fast, Cheap and Good: An Unusual Tradeoff Available in Threat Modeling is our third corporate whitepaper. It examines some of the organizational drivers that inform the ways we threat model, including who's doing the work and why. The paper catalogs a set of fast, cheap and good approaches that can help you get started.
The Jenga View of Threat Modeling, our first corporate whitepaper, breaks out different types of threat modeling work in a new way. The Jenga view helps you understand the diverse changes that happen to enable threat modeling, and through understanding, helps you accelerate.
A PCI Threat Model, which was released as our second white paper without our new branding, shows how an explicit threat model can help illustrate the why behind a standard. See also Solving the Problem With Security Standards at Dark Reading.
A whitepaper written for ISACA.
Many businesses today make promises like “we take your security seriously,” or “we are secure by design.” That’s great, if your efforts are centered in engineering, rather than marketing or legal. In this Perspective article, we’ll talk about the growing need for security engineering, including what, why, where, how and when.
Paper (Registration required)
Podcast