Businesses are making unprecedented investments in modern architecture, but these solutions require evaluating real-world risks against security controls to demonstrate systemic coverage. This complexity requires services that go deeper to identify controls and threats across the entire solution at any stage of the software development lifecycle. Coalfire’s threat modeling services evaluate risks unique to your solution’s architecture, focusing on threats and countermeasures rather than regulatory requirements or coding risks.
Our Application Threat Modeling Process in 4 Simple Steps
Step 1: Identify the fundamentals - We review existing documentation and diagrams to provide a point of reference when discussing threats and underlying risk. We’ll also use this time to gain an understanding of the current responsibilities and capabilities across executive and security leadership, development, and operations in relation to the in-scope application or solution.
Step 2: Break down the system - We break down the current security features and the system’s data flow to provide a baseline for system-centric threat identification and proper risk alignment.
Step 3: Identify threats - We evaluate required security controls against provided security controls to determine the adequacy of risk mitigation. Along with the people and processes supporting the in-scope systems, all relevant technology –including security tools like SAST and DAST and DevOps solutions that mitigate risk across design, coding, and deployment –will be evaluated.
Step 4: Provide actionable recommendations - We provide recommendations for addressing any areas where controls are needed or weak. We will produce a living document that includes architectural and security-based controls spanning the entire solution; this document can be modified in parallel with future development.