A sprint review story that said "As a developer, I want our applications to be secure" got me thinking. What does that actually mean? Is it every conceivable security hole fixed? Every vulnerability patched, including the low-severity ones?
That would require enormous effort for marginal gain. Would that count as going too far?
Security is context-dependent
Security is a spectrum. What good looks like depends entirely on your situation. Is your business regulated? Do you collect personal data? Are you tied to older technology such as SWIFT, SCADA or SS7? Do you host critical national infrastructure?
These questions change what "secure" means for your organisation. A financial services firm operating a payments system and a startup running a content site face different threat landscapes. Treating them the same wastes effort in one case and creates dangerous gaps in the other.
Clear requirements lead to better security
In software development, clear requirements consistently lead to better outcomes. Unclear requirements lead to bad software and costly rework. The same is true in security.
Working across engineering teams over many years and across many sectors, I have consistently found that when businesses are clear about what security they actually need, the results are better and the effort more targeted. Less time is wasted, and the security posture that results is more appropriate to the actual risks the organisation faces.
If you know the threats your organisation faces, the risks they carry and how you could mitigate them, you are in a strong position. Some risks will need to be accepted in the short term or long term. Understanding that risk position and being able to improve it when needed is what good security looks like in practice.
The threat model as a foundation
There are many ways to capture threats, risks and mitigations. In my experience, the best approach by a considerable margin is the threat model.
A threat model brings all the key information together in one place. It is straightforward to create and serves as a live view of the security position of any system or business process. That simple combination works as a communication tool, a risk management tool, a planning tool and a foundation for a DevSecOps programme.
Customers I have worked with have gained more clarity, a stronger security culture and better alignment between engineering and security teams. Their end customers benefit too, with a more secure product.
In any sector and any geography, businesses need to know what to secure, how to secure it and how far to go. A threat model gives a clear framework for answering those questions and charting a course, so that security work runs alongside business delivery rather than getting in its way.
Jonny founded Threatplane in 2017. With a background in offensive security, he has spent 15+ years helping organisations across defence, financial services, healthcare, and manufacturing understand and manage their technology risks.
Full bio →