Original post by @preethisampath
If an organization was to conduct a survey about its Threat Modeling program what are the top 5 things that the survey must aim to ask?
Say, the stakeholders for this survey would be the application architects & managers.
Original post by @irene221b
For an existing program, I’d ask:
Does your team know when they need to perform threat modelling ™?
Is there a clear process for initiating and preparing TM session? Asking for help? (I’m making a massive assumption here of a very mature program where it’s team-driven and they can ask security engineer to attend on difficult cases).
How often did it happen in your team / application in your scope in the last x months?
Is there a clear process for translating TM findings into further investigation/prioritisation/work?
In the last x months, how many changes/additional controls/mitigations have you implemented as a result of TM?
Again, every question has tons of hidden assumptions on the maturity of your program and the team topologies.
Original post by @BrookShoenfield
It’s @irene221b‘s last question that I find most useful: what actually got built as a result of a model?
The answer to that question highlights whether models are effective.
That metric can also be used to determine the effectiveness of those responsible for leading modelling (security architects, security champions, whomever). Most of the measures of security people doing secure design, I find pretty meaningless because project size and complexity vary, dev teams vary in their capacity and skill to define needed security, all of which make things like Total Security Requirements or number of projects worked and the like, meaningless.
But, effective security practitioners know how to get security items built! That single metric can only come about when:
Not exactly 1 number to ‘rule them all’, but certainly one very useful number