This event has ended. View the official site or create your own event → Check it out
This event has ended. Create your own
Welcome to the full schedule of the OWASP AppSec Research EU 2014 conference days
View analytic
Thursday, June 26 • 12:05 - 12:50
Threat Modeling – A Brief History and the Unified Approach at Intuit

Sign up or log in to save this to your schedule and see who's attending!

Threat Modeling is a software design analysis method that looks for security weaknesses by juxtaposing software design views against a set of attackers. 

Software engineers and security practitioners at Intuit have been practicing Threat Modeling in various ways for years. Intuit has used a Threat Model methodology based on STRIDE. The approach had many advantages, but also some drawbacks. Some of the drawbacks included amount of time required to translate the information from development (generating the Data Flow Diagrams) and difficulty in modeling different threat agents. 

Intuit and Cigital unified their two Threat Modeling methodologies to produce an approach that satisfies various stakeholders at Intuit. The result was what is called Unified Threat Modeling, an approach that consists of identifying assets and attacker profiles, and documenting and suggesting a list of controls. It works for software architecture and system deployments (using System Threat Modeling approach) as well as for interaction between different software and system components (via Protocol Threat Modeling approach). 


Scott Matsumoto

Principal Consultant, Cigital, Inc.
Scott Matsumoto is a Principal Consultant with Cigital. At Cigital, he is responsible for the mobile security practice within the company. He consults for many of Cigital’s clients on security architecture topics such as mobile security, Cloud Computing Security, as well as SOA Security and Governance. His prior experience encompasses development of component-based middleware, performance management systems, graphical UIs, language compilers... Read More →
avatar for Tin Zaw

Tin Zaw

Volunteer, OWASP
Tin Zaw currently co-leads the OWASP project on Automated Threats to Web Applications, along with Colin Watson. At his day day job, he leads a global practice to help Verizon customers secure web properties at Verizon Digital Media. | | He started his career programming network protocols at QUALCOMM, participated in early days of the web infrastructure at Inktomi, made security products for 100+ million users at Symantec, and led web and... Read More →

Thursday June 26, 2014 12:05 - 12:50
  • Company 35

Attendees (24)