Author - Sivakumar RR
So far in my application development career I have worked with both small and large teams, one thing which I have noticed in both environments are that, somewhere there is lack of understanding that “security is something which needs to be addressed from the roots”. In my opinion, security of your product or the application which you are developing is everyone’s responsibility. Setting up teams and tools to validate the same is always a good thing to do but that should not be the only action you should take. Now a days in the era of new cyber crowd, where large set of tools and techniques are easily available, shield can be spear and vice versa based on who is holding it.
Threat modeling ?
What is it? In simple words, it’s just a practice that can be followed to have an understanding on what can be the potential threats. This can help the team to identify the threats during the design phase of the application development itself, which can lead to prioritization and mitigation of the same. This activity can educate the teams across the organization on what are those which the organization considers as valuable.
Identifying and pointing out elements like this will lead to discussions, which can help the teams to clarify on why it is important to take the idea of “security” seriously. That understanding will act as a key which proactively improves your organization's culture and brand value. Organization’s brand value is important, reactive actions for security incidents will not help you to protect it, for that you have to be prepared, you should know what’s your strengths and weaknesses before you present yourself to the public.
Threat modelling can be considered as a stepping store or a base to the idea of DevSecOps. Repeated executions of threat modeling and follow-up discussions demands documentation of application designs, workflow analysis and business requirements. Revisiting these on each iteration will stabilize the vision of the organization and also help to establish a DevSecOps culture.
For example, organizations are following the trend of "Single Sign On" feature now a days which will help you to deal with a headache of saving multiple credentials for different applications from a single org. This feature help the user to sign in at one place and the same session can be forwarded to other applications as well. These kind of cool and useful features are potential risk source too, in an unexpected event of session hijack by a hacker can ruin your customer's profile and make a huge negative impact on your brand value as well. So let's evaluate, discuss and mitigate the threats.. you are the one who should know your weakness not the one who tries to damage your credibility.
Comments
Post a Comment