From the course: Learning Threat Modeling for Security Professionals

Why would you threat model?

From the course: Learning Threat Modeling for Security Professionals

Start my 1-month free trial

Why would you threat model?

- The best time to find security problems is before they happen, and the very best time is before any work needs to be redone, before anyone's written a line of code, before any images or containers have been configured. But how do you do that? You can't run standard tools like Nmap or ZAP to see what's wrong. The fact is projects often start at a whiteboard, but too often, security isn't at that whiteboard, engaging in trade-offs with developers or operations, because we lack tools to be part of these conversations. Worse, we in security have a reputation. Ask two security experts, get three versions of no. Threat modeling is a structured way to discover problems lurking in a project. You can threat model at any time, but the biggest payoff comes from threat modeling early. Planning for threat modeling insures that there's a way to consistently unearth problems. Systematic, structured, comprehensive threat modeling helps security get a seat at the table. There are many ways to threat model. Threat modeling isn't a monolith any more than sysadmining is a monolith. I'll focus on the most broadly applicable building blocks. You'll learn these course skills, tools, and techniques first, and over time, you'll end up with a whole set. Threat modeling is the best way to bring structure to your security work, and it's a skill set that you'll use for the rest of your career.

Contents