TM: reveal complete or find news?

I’m curious: What’s your preferred goal of threat modeling?

(1) Reveal complete: We want a complete threat ⇆ mitigation mapping for our scope.

(2) Find news: We focus our analysis on what we don’t know yet.

I’ve had several threat modeling sessions started with quite a lot of security considerations done upfront. How do you incorporate that (or not)?

Hendrik

My approach falls into your ‘reveal complete’ category. In my experience (for a system that hasn’t been TM’d before) any existing capture of security information isn’t standardised, so capturing it in a standard way helps to add structure (which helps to detect if things are missing), and it makes it easier for others to review, learn from and copy. My approach actively encourages capturing existing controls, which then became a great list of things for security testers to actually look at to confirm those controls work as expected!

2 Likes

Well, my approach is also with reveal completely. A capture of current state with existing control sets and what controls exists that is not implemented is a great start to directly add value to the whole of exercise. It also give some realistic insights on real threats.

1 Like