AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
View analytic
Thursday, June 26 • 12:05 - 12:50
Threat Modeling – A Brief History and the Unified Approach at Intuit

Sign up or log in to save this to your schedule and see who's attending!

Threat Modeling is a software design analysis method that looks for security weaknesses by juxtaposing software design views against a set of attackers. 

Software engineers and security practitioners at Intuit have been practicing Threat Modeling in various ways for years. Intuit has used a Threat Model methodology based on STRIDE. The approach had many advantages, but also some drawbacks. Some of the drawbacks included amount of time required to translate the information from development (generating the Data Flow Diagrams) and difficulty in modeling different threat agents. 

Intuit and Cigital unified their two Threat Modeling methodologies to produce an approach that satisfies various stakeholders at Intuit. The result was what is called Unified Threat Modeling, an approach that consists of identifying assets and attacker profiles, and documenting and suggesting a list of controls. It works for software architecture and system deployments (using System Threat Modeling approach) as well as for interaction between different software and system components (via Protocol Threat Modeling approach). 


Scott Matsumoto

Principal Consultant, Cigital, Inc.
Scott Matsumoto is a Principal Consultant with Cigital. At Cigital, he is responsible for the mobile security practice within the company. He consults for many of Cigital’s clients on security architecture topics such as mobile security, Cloud Computing Security, as well as SOA... Read More →
avatar for Tin Zaw

Tin Zaw

Director, Security Solutions, Verizon
Tin Zaw has served as Verizon Digital Media Services’ director of global security solutions since 2015. He and his team provide managed and professional security services protecting their clients' web properties from exterior threats from the internet. He launched the services during... Read More →

Thursday June 26, 2014 12:05 - 12:50
  • Company 35

Attendees (0)