Threat modelling: finding flaws before software goes live

Is software secure enough? Or are developers leaving the door open to criminal hackers?

Testing applications for security flaws is time consuming and expensive. And it is not always effective, as the number of zero-day vulnerabilities found in code shows.

The idea of building security in to new hardware and software products from the outset has gained ground over the last few years.

And the move to “shift left” and introduce security by design has gained ground, following growing concerns about supply chain attacks.

One way to achieve this is through threat modelling. Threat modelling is not, itself, new: Microsoft did pioneering work on the technique in the Nineties.

But it is now being adopted by bodies such as NIST, though its code verification standard, with the goal of reducing zero days.

Our guest in this episode is Stephen de Vries, co-founder and CEO of IriusRisk. De Vries has worked on threat modelling for over a decade. He explains why organisations should add it to their security toolkit.

IriusRisk co-founder Stephen de Vries

Featured image by Benjamin Nelan from Pixabay