📈 How to Scale Threat Modeling

Many AppSec teams struggle with this

Here's how @JacobSalassi did it in a hypergrowth startup: @SnowflakeDB

Now the story of a scrappy startup on its way to IPO, and the teams who had no choice but to scale their processes, together 👇
Out of the 100s of AppSec articles I've read in the past year, this is easily one of my top 3 on threat modeling

Tons of detailed, actionable insights and a few spot on memes

Summary thread 🧵 below, but check out the article here: https://r2c.dev/blog/2021/appsec-development-keeping-it-all-together-at-scale/
r2c blog — Appsec Development: Keeping it all together at scale

Appsec Development: Keeping it all together at scale

https://r2c.dev/blog/2021/appsec-development-keeping-it-all-together-at-scale/
1⃣ First, ProdSec threat modeled every story

✅ Consistent quality, standardized evidence collection
🛑 Painful backlog: few security engs vs devs, slowed engineering

This could not continue. Security was slowing the business down.

How can we decentralize security reviews?
2⃣ Devs threat model every story

Every team gets a Security Champion who own the process

✅ Devs were unblocked, backlogs stabilized
🛑 Threat modeling was too slow: 2-6 hours each

Devs felt they "didn't have time" for security

We needed a lighter weight way to assess risk🪶
3⃣ Devs assess risk on every story

Do a risk assessment for every story and only TM on 'non low' outcomes

✅ Fewer stories need TMing, still had auditability for compliance
🛑 Still required TMing too many things, process had friction

💡 Insight: more things can be skipped
4⃣ What started working

Current process:
1. Project risk assessment - help teams manage risk timeline
2. Security Impact Assessment - exit if changes don't affect security
3. Risk assessment - is this high risk?
4. Threat model - analyze risky designs and create mitigations
🚀 Where they're headed

1. Converting mitigations created by threat models into re-usable secure defaults. Never threat model the same thing twice.

2. Using SAST tools like Semgrep to reduce the cognitive overhead of code reviews and increase the odds a bug will be detected.
Here's the article! I hope you enjoy it as much as I did working on it with @JacobSalassi 🙌

How has *your* company scaled threat modeling?

Would love to hear any tips and tricks 😀 https://r2c.dev/blog/2021/appsec-development-keeping-it-all-together-at-scale/
r2c blog — Appsec Development: Keeping it all together at scale

Appsec Development: Keeping it all together at scale

https://r2c.dev/blog/2021/appsec-development-keeping-it-all-together-at-scale/
You can follow @clintgibler.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.