Threat Modeling: Ask This;

Threat Modeling: Ask This;

TLDR: Ask This;

1. What rules do you have that capture security objectives resulting from the process of threat modeling and are created with knowing what information in your design needs to be protected?

2. Do you develop cloud security standards, threat modeling methodologies, secure code practices, and processes in tandem with architects and system engineers?

3. How do you utilize threat modeling and quantitative risk analysis to formally specify and analyze the security of a self adaptive system under uncertainty at runtime?

4. When you audit your data using threat modeling, how much security is enough?

5. Do you incorporate threat modeling into the business requirements/design process of your SDLC?

6. Do you use threat modeling for new services, data and applications to find the ways business capability can be attacked?

7. What budget do you need or have to conduct a threat modeling process?

8. Is threat modeling integrated into your quality management systems?

9. How have threat models, use cases and security requirements been modified for your organization?

10. How does threat modeling keep security a step ahead of the risks?

11. Are your model components of cloud threat modeling different from non cloud threat modeling?

12. How do you use a threat model to drive security tests?

13. Is there an attack within the threat model that can violate the security goals?

14. How do you know if you are having a disruptive threat and have to innovate your business model?

15. Are there specific modeling languages and things that are being developed to make the threat modeling itself easier to do?

16. What are the components of your threat modeling and risk measurement approaches?

17. Do you currently use Threat Modeling to help build functional requirements?

18. What happens when a security requirement or a threat model changes?

19. During which phase of the software development lifecycle (SDLC) is threat modeling initiated?

20. How do you determine legitimate versus nefarious traffic?

21. Have you done architectural analysis, risk analysis and threat modeling on your software?

22. How does an external component change the threat model of the entire system?

23. What threat modeling process is used when designing software protections?

24. Do you bring attack trees into your threat modeling methodology?

25. What kinds of attacks and what kinds of attackers is a security measure meant to prevent against?

26. Which functionality need threat modelling and security design reviews?

27. Which of the threats listed in the threat model can be afforded by the attacker in consideration (based on the resources needed for the attack)?

28. Which risk response planning techniques do you use to shift the impact of a threat to a third party, together with the responses?

29. Is threat modelling being done to determine security requirements for each sprint ?

30. Are results from vulnerability tracking fed into the threat modeling process?

31. Do automatic threat modelling tools provide extra value to the security process?

32. Is the purpose of cloud threat modeling different?

33. When do you start threat modeling your application?

34. Which of the threats identified in your threat model apply to the code you are reviewing?

35. Is threat modeling part of R&Ds fabric?

36. How effective is Threat Modeling in reducing the redundancy of test cases?

37. Who do you think would want to tamper with it, and what resources do you think they want to bring to bear?

38. Is threat modeling too tough to produce actionable results?

39. What sort of skill sets or roles are assigned threat modeling tasks?

40. What are the classes of existing threat modeling methods?

41. Where do you use threat modeling for IoT?

42. How do you use a threat model at design time?

43. What is the process you use to conduct threat modeling, understand and measure cyber risk, and prioritize investments to mitigate?

44. Do your projects have a standard for threat modeling?

45. Do you have clear, effective policies that talk about insider threat or address it?

46. What will an attacker strive to accomplish?

47. How much time do you have to decide if a threat is credible or not?

48. How much time do you have to decide if a threat is possible or not?

Organized by Key Themes: SECURITY, SYSTEMS, DESIGN, SOFTWARE, MANAGEMENT, SECURE, PRODUCT, THREAT, RISK, DEVELOPMENT:

SECURITY:

Do you incorporate threat modeling into the business requirements/design process of your SDLC?

Lead architecture design reviews with development and product management to incorporate effective threat modeling and security standards and tools into product design and development.?

What have you learned from watching the operations?

Ensure your staff is involved in security activities throughout the software development lifecycle design reviews, threat modeling, fuzzing, code reviews, tooling, penetration testing.?

What types of attacks may be escaping your assessment tools?

Certify your personnel is involved in IaC (Infrastructure as Code) and performing threat modeling and design reviews to assess security implications and requirements for introduction of new technologies or products.?

Where does it fit in the system development lifecycle?

Develop experience working with IT Cyber Security Risk and Controls related to environments including Hosted (internal) customer Environments, Data Networking Design and Operations, Threat Modeling, Data Protection, Cloud Cyber Security Management, Vulnerability Management, Incident Management, Firewall and segmentation.?

What is the current size of the project, in terms of people involved?

Establish that your design is involved in architecture and security reviews, and threat modeling applications.?

Will performing the exploit permanently deplete the attackers resources?

Be sure your personnel is involved in security functions as understanding cloud architecture and performing design reviews, threat modeling, code and configuration reviews, and incident response.?

How do you get support to improve the breadth and depth of your security program?

Work closely with the S and C and Engineering teams to implement processes and execute on broader security risk reviews and threat modeling across the entire company (new products, acquisitions or service models, vendor integrations, etc.?

What is the current size of the project, in terms of people involved?

Certify your strategy is involved in threat modeling and security risk assessments.?

Which is the step that follows soon after identifying the threats in software threat modeling?

Make headway so that your design is involved in enforcing secure coding practices, threat modeling, identify and access management, and security incident responses and recovery.?

SYSTEMS:

How should physical data be managed in workspaces?

Enhance threat modeling processes to produce convincing evidence self driving systems are reasonably free of security risk and that residual risks are managed.?

What is the current size of the project, in terms of people involved?

Assure your process is involved in risk assessments, threat modeling, vulnerability management programs, or software, systems and solutions development and delivery.?

How do you use a threat model to drive security tests?

Make sure the Signals and Systems Division engages in research related to advanced threat analysis, operational employment concepts, advanced EM spectrum management, test and evaluation, and knowledge management primarily through the application of modeling and simulation.?

Has the cloud service provider had comprehensive penetration testing performed?

Perform threat modeling and risk assessments for current and forward model vehicle systems.?

How does communication work within the development teams?

Plan and execute modeling and simulation systems development projects and design and develop simulation systems and modeling of simulation objects.?

Which high risk applications are developed and released without security testing?

Develop experience modeling and documenting software systems and business processes.?

How widely deployed is the vulnerable software or system?

Safeguard that your team applies deep expertise in causal modeling to develop large scale systems that are deployed across your organization.?

What is the current size of the project, in terms of people involved?

Ensure your design is involved in Linux based systems.?

What is the current size of the project, in terms of people involved?

Oversee that your team is involved in implementing radar, RF, and digital hardware concepts in physical systems.?

What threats are possible in the environment where the software will be operating?

Ensure your strategy is involved in Operating Systems and Networks.?

DESIGN:

Does your organization have a process for monitoring and identifying new threats, vulnerabilities and changes in the environment?

Secure that your team is evaluating product design features and identifying security gaps via threat modeling.?

Do you identify and pinpoint evidence of attempted and blocked attacks down to the line of code?

Be confident that your personnel mentors developers and testers in security activities during the product lifecycle, such as secure design reviews/threat modeling, security code reviews, security test planning, and component security hardening, to identify potential security weaknesses.?

How do you effectively prioritize threat mitigation efforts?

Secure design methodologies and threat modeling.?

What is the current size of the project, in terms of people involved?

Safeguard that your organization is involved in API design and system architecture.?

Will the initial rollout include all secure development practices or a subset?

Implement best practices for Secure Design, Threat Modelling and heuristic/signature endpoint detection.?

How do you help development teams with remediation?

Develop experience integrating design workflows with agile product development teams.?

Are the pricing and licensing models different for deploying to virtual machines versus physical devices?

Secure that your strategy drives resolution of organizational effectiveness issues, including team and leadership development, organizational design, workforce analysis and planning, business process improvement and departmental restructuring.?

How do you integrate a providers identity meta system with your identity management processes?

Safeguard that your staff collaborates with leaders of business, design, research, development, and other partners to improve the visibility of Content Design and integrate content early in the product development process.?

How do you implement threat modeling?

Develop experience leading project teams to design and implement new solutions in areas of expertise.?

What are the components of your threat modeling and risk measurement approaches?

Follow a user experience design process from concept to execution; approach design from a users perspective, listening to users and balancing their needs alongside business goals and technical capabilities.?

SOFTWARE:

What access privileges must an attacker have to be able to perform the attack?

Perform security threat modeling of your automotive software data distribution platform.?

What is the current size of the project, in terms of people involved?

Ensure your design is involved in Threat Modeling and Secure Software Design.?

What assets are most valuable, and what are values?

Consult software development teams in design and architecture of secure systems through Threat Modeling.?

Are there any risks that people should know about the setup process?

Make sure your strategy is involved in methodologies and tools, for threat analysis of complex systems, as threat modeling and software fuzzing.?

What is the current size of the project, in terms of people involved?

Be certain that your process is involved in statistical and data analysis and commercial data analysis software packages.?

What is used to specify who can access specific registry settings?

Safeguard that your personnel is developing lightweight SDLC processes to embed into Product Design and Software Engineering workflows.?

What is the maturity of the model used and how do you see it developing?

Guarantee your organization is involved in building software solutions (managing developing teams, writing code).?

Does the information resource use or process any other confidential or restricted data?

Warrant that your staff is involved in architecting and deploying secure software in defined and virtualized networks.?

How can organizations keep abreast of trends to identify and anticipate emerging threats and opportunities?

Make sure your group is involved in reverse engineering and software bug hunting.?

Does the firewall meet other security standards and best practices?

Develop system design and software best practices for engineering teams.?

MANAGEMENT:

How is your business and revenue model supported by your API?

Engage with Product Management and Engineering Architects to proof out new product or offering concept from the security perspective; perform high-level threat modeling, support product compliance requirement analysis.?

How are threats and vulnerabilities included in the environment specification?

Develop experience executing project management skills including design review, threat modeling, and risk profiling while working across a large, complex, distributed, organization that is representative of a diverse IT community to include policy, regulations, and compliance requirements.?

What is the current size of the project, in terms of people involved?

Check that your personnel is involved in business continuity management, threat modeling and vulnerability management programs.?

Did the guidelines provide enough information to detect the flaw?

Provide expertise to engineering teams on SDL including threat modeling, secure design, secure development, secure testing, vulnerability assessments, and secure management for software and firmware development.?

How much time do you have to decide if a threat is possible or not?

Be certain that your group is involved in common SDLC tools: static and dynamic code analysis, open source management, threat modeling, etc.?

How will you determine if some threats or events require enhanced emphasis and investment or have already received sufficient focus?

Invest in threat and vulnerability management activities, including: triage of new vulnerabilities, root cause analysis, threat modeling and mitigation planning.?

Does the system track how many failed login attempts a user has experienced?

Establish that your team has involvement in designing and implementing secure mobile applications (Authentication, Encryption, Session Management, Least Privilege, Threat Modeling).?

Can an attacker assume the identity of a privileged user?

Establish and mature the enterprise threat management program to include threat aggregation, analysis, modeling, hunts, and insider.?

Does the firewall include software that can manage all of the firewall instances in the cloud?

Oversee that your team is involved in ethical hacking and vulnerability management reporting.?

What are the leading causes and risks in cybersecurity?

Lead business modeling and analysis efforts across all phases of the project management process.?

SECURE:

What fraction of an attackers day is spent performing attacks?

Guarantee your design is involved in performing Threat Modeling and designing secure Architecture.?

What are the best practices adopted by agile software development teams?

Drive a secure SDLC program with the product and engineering teams, ensuring secure coding and threat modeling practices are adopted and taking place.?

Do you currently use Threat Modeling to help build functional requirements?

Ensure your operation is leading threat modeling and secure architecture reviews.?

What is the current size of the project, in terms of people involved?

Verify that your design is involved in code reviews and secure product design.?

Does the threat prevention service support behavioral analysis?

Create application threat models, perform secure code reviews, and ensure the use of secure coding practices, with the support of the Infosec team.?

What is the current size of the project, in terms of people involved?

Assure your strategy is involved in manual secure code assessments in a variety of common languages.?

Does your organization automatically disable dormant accounts after a set period of inactivity?

Make sure your staff is involved in designing and architecting secure cloud native web applications.?

What business process is being performed or supported?

Build and sustain secure design and architecture processes that support organizational goals and strategy.?

Are teams required to complete all of the secure development practices?

Make sure your workforce is involved in secure coding techniques and best practices.?

What will prevent the system from reaching mission requirements due to threats causing vulnerabilities?

Develop experience developing secure cloud resource deployment templates in Cloud Service Providers using infrastructure as code frameworks.?

PRODUCT:

What technical security services do databases provide?

Make sure the team leads product threat modeling, measures and recommends BSIMM behaviors, and manages a highly visible security champions program.?

Does the user have to leave the normal flow of the application to perform the activity?

Partner with product teams to review new products and features, develop threat models and perform risk assessments.?

What kinds of architectures are able to mitigate risks to a reasonable level?

Liaison so that your operation is developing your overall threat model, and working to understand and mitigate risk across the spectrum your organization, the product, and the infrastructure.?

What needs to be done to assure delivery of the required services?

Coordinate, participate, and deliver threat modeling for products.?

Which functionality need threat modelling and security design reviews?

Interface so that your process supports technology architecture design review efforts for project and product teams.?

Is it threatening or is it transforming the traditional model?

Oversee that your design is involved in collecting, analyzing, and interpreting data from multiple sources, documenting the results and providing meaningful analytic products.?

Does your solution support risk modeling and prioritization?

Interface so that your company is involved in partnering with product and program management teams.?

What is the current size of the project, in terms of people involved?

Check that your process is involved in managing product vendors and associated budgets.?

How do you get support to improve the breadth and depth of your security program?

Participate in the corporate development process by evaluating potential acquisitions and then working on integrating companies, products and team members after an acquisition.?

When is more cost effective to build security in?

Collaborate across factory management teams, product, logistics, and FP and A functions to identify and record financial exposure related to slow moving or obsolete inventory, develop accounting flows for new business models, and create models as a basis for forward looking plans and forecasts (including ROI analysis for capital investments and validation of cost improvement projects).?

THREAT:

What is the current size of the project, in terms of people involved?

Oversee that your team is involved in threat modeling or other risk identification techniques, and risk management.?

What is the current size of the project, in terms of people involved?

Make sure your organization is involved in threat modeling and asset risk analysis.?

What is the current size of the project, in terms of people involved?

Make sure your workforce is involved in threat modeling methodologies and risk frameworks.?

Are matters any better when there is no work for hire clause in the picture?

Make sure there is ability and involvement performing threat modeling data flow diagramming architecture risk analysis, identifying bugs and flaws and driving work items from such activities to resolution.?

Have you previously participated in the threat modeling process?

Participate in secure design considerations during threat modeling sessions, as well as participate in risk assessments.?

What is the current size of the project, in terms of people involved?

Confirm that your workforce is involved in threat modeling and risk identification.?

Does the app provide access to only necessary entities?

Secure that your design is involved in threat modeling for embedded and IoT systems.?

Is storage in the data store set to a known value after use?

Develop experience performing threat modeling and design reviews to identify new detection use cases.?

What is the current size of the project, in terms of people involved?

Confirm that your design is involved in application threat modeling and application architecture.?

How hard is it for users to deny performing an action?

Ensure your group is involved in performing threat modeling and designing secure mobile application architecture.?

RISK:

What is the current size of the project, in terms of people involved?

Be sure your team is involved in the application of threat modeling or other risk identification techniques.?

What are the benefits of developing conceptual models?

Be sure your workforce is overseeing and developing a multi tenant risk based vulnerability and baseline management program and functional network threat modeling program.?

How do you allocate your budget for insider threat?

Liaison so that your organization assesses applications, design threat models, documents potential risk vectors, check for code vulnerabilities, recommends proportional controls and ensures risks are resolved expeditiously.?

Which portions of the project will require security design reviews before release?

Perform architectural risk analysis, threat modeling, secure design and source code review.?

What are the general security measures when using the internet?

Monitor the cyber landscape for emerging threats and the potential impact (risk ) to your organization using threat modeling analysis tools and resources.?

What are the most appropriate levels of granularity at which to perform threat modeling?

Learn threat modeling techniques and perform threat and risk assessments of your source code repository and cloud environments.?

What content does an effective security testing framework for database systems need to include?

Utilize corporate risk register to mature the threat modeling process for protecting your organizations high value assets.?

What decision processes drive the inclusion of threat actors?

Participate in and conduct application threat modeling exercises in order to identify and drive risk decisions, and influence technical designs and architectures.?

Who is responsible for implementing and maintaining security measures in the equipment?

Develop or support threat modeling (threat type, impact, risk rating, counter measures, residual risks, and gap analysis) for in scope products.?

What falls outside the scope of database security management?

Manage the methodologies for threat modeling and risk modeling.?

DEVELOPMENT:

How have your modeling practices improved over the past year?

Ensure your workforce is integrating threat modeling practices into the product development life cycle.?

What facilities in the operating system can be used to implement security requirements?

Engage in the software development lifecycle (SDLC) to ensure secure designs and coding practices and integrate threat modeling, required tools, standards, and metrics into release processes as well as operating environments.?

How do you conduct a threat rating?

Lead and conduct threat modeling activities during Secure Development Lifecycle (SDL).?

What are leading causes and risks in cybersecurity?

Lead threat modeling, design reviews and code reviews in the context of the development lifecycle.?

Have the procedures and/or equipment prevented program/project problems?

Ensure you have involvement integrating threat modeling throughout the application development lifecycle.?

Have you previously participated in the threat modeling process?

Participate in architectural reviews, threat modeling of applications across development teams.?

What type of models did you use throughout the process?

Invest in formulating a threat modeling strategy; collaborate with development to influence and advance the same.?

Does the framework introduce any significant problems or complications?

Make sure your team works with business and development teams in recommending process or system design and enhancements.?

What is the current size of the project, in terms of people involved?

Make sure your design is involved in Agile software development methodologies.?

Are you familiar with secure software practices in your unit?

Secure development practices including threat modeling, architecture, design, vulnerability assessment.