AppSec Europe 2014 has ended
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
Back To Schedule
Thursday, June 26 • 12:05 - 12:50
Threat Modeling – A Brief History and the Unified Approach at Intuit

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Threat Modeling is a software design analysis method that looks for security weaknesses by juxtaposing software design views against a set of attackers. 

Software engineers and security practitioners at Intuit have been practicing Threat Modeling in various ways for years. Intuit has used a Threat Model methodology based on STRIDE. The approach had many advantages, but also some drawbacks. Some of the drawbacks included amount of time required to translate the information from development (generating the Data Flow Diagrams) and difficulty in modeling different threat agents. 

Intuit and Cigital unified their two Threat Modeling methodologies to produce an approach that satisfies various stakeholders at Intuit. The result was what is called Unified Threat Modeling, an approach that consists of identifying assets and attacker profiles, and documenting and suggesting a list of controls. It works for software architecture and system deployments (using System Threat Modeling approach) as well as for interaction between different software and system components (via Protocol Threat Modeling approach). 


Scott Matsumoto

Principal Consultant, Cigital, Inc.
Scott Matsumoto is a Principal Consultant with Cigital. At Cigital, he is responsible for the mobile security practice within the company. He consults for many of Cigital’s clients on security architecture topics such as mobile security, Cloud Computing Security, as well as SOA... Read More →
avatar for Tin Zaw

Tin Zaw

Director, Security Solutions, Verizon
The author resides in sunny southern California, where he seeks a Zen state of mind amid the chaotic mix of technology, society and cyber threats. Wanting to make the world safer online, he gave up his beloved programming job to focus on cyber security. He is a former president of... Read More →

Thursday June 26, 2014 12:05 - 12:50 BST

Attendees (0)