Developer-Driven Threat Modeling Lessons Learned in the Trenches

Threat modeling at the design phase is one of the most proactive ways to build more secure software. Identifying and resolving potential security issues early avoids costly reengineering that occurs later in the development life cycle. However, traditional approaches to threat modeling require significant security expertise and the ability to think like an attackercharacteristics that not all software designers and engineers possess. This article describes a large software vendor's real-world experiences with threat modeling, including major challenges encountered, lessons learned, evolution of a threat-modeling approach, and a description of the company's current developer-driven approach. © 2006 IEEE.