What! Think before coding? WHY?

Brett Crawley
Brett Crawley

Why are so many people just diving, straight into the code? A minimum of requirements and design? Perhaps a threat Model?

Threat Modeling

Threat modeling is upfront investment.

Feature Express
Feature Express

I often hear teams saying:

  • They don’t have time to threat model.
  • They have deadlines.
  • We’ll do it after we’ve released.

Look at the consequences.

Threat Modeling Too Late
Threat Modeling Too Late

Doing it later is often too late, the damage is done and they either need to go back to the drrawing board or add a patch, meaning the security of the product will never be as strong as it could’ve been. This is there first step onto the slippery tech debt slope.

Is this familiar?

Exponential Vulnerability Backlog Growth
Exponential Vulnerability Backlog Growth

Not threat modeling also allows vulnerabilities to propagate and the backlog to grow exponentially causing a snowball effect.

By doing this…

Threat Model Early
Threat Model Early

Threat modeling early allows you to fix things cheaper, with less effort, it’s predictable because you can plan the fixes into the development and simply makes more sense.

You reach this…

Vulnerability Utopia
Vulnerability Utopia

Not only that but because you have reduced the flow and stopped the hemoraging of vulnerabilities, you can start to work of the existing backlog, gradually moving towards a kind of utopia.