future of threat modeling
Answers
The Future of Application Threat Modeling
Looking forward, application threat modeling should be capable of automatically and accurately pinpointing where threats exist and provide a clear actionable output, such as recommending the appropriate security controls, presenting test cases, displaying attack trees, etc., to ensure threats are mitigated in the most effective way possible. In addition to identifying threats, threat modeling should also provide a way to calculate both the technical and business impact to an organization if threats are carried out, and correlate threats to real-time threat intelligence to more effectively manage risk based on actual threat data.
Ideally, application threat modeling should also be correlated with an organization’s security policy and risk management, in a way that business executives can easily understand application risk, regardless of their level of application security experts. This will allow senior management, security specialists, and software developers to work collaboratively to more effectively prioritize and mitigate threats.
Contextual, risk-based threat scoring should become an integral component of an effective application threat modeling practice as well. Automatically applying key threat factors such as exploitability, discoverability, automation, and the ability to predict the business and technical impact if a threat is carried out will significantly help prioritize mitigation efforts. This can be accomplished through integration with current industry-standard threat scoring systems such as CWSS, CVSS, etc., and/or with custom-built threat scoring classifications, and will be an essential component of an efficient threat modeling process.
Furthermore, application threat modeling should also allow organizations to accurately calculate costs associated with mitigation, not only to help prioritize mitigation efforts but to provide an objective process for aligning security budgets with risk.
In summary, an effective application threat modeling program should be able to automatically identify threats, specify the appropriate mitigating controls, provide risk classification metrics to prioritize mitigation, present easy to understand security requirements that can be integrated into the SDLC, keep threat data current, automatically generate reports that are customizable to meet the needs of various stakeholders, and enable a consistent, repeatable, scalable, process that can be implemented enterprise-wide.
Explanation:
explosive increase in human population spurring widespread development and demand for water, global climate change causing unpredictable flooding ans long lasting droughts (48),water withdrawals in coastal areas causing saltwater intrusion into drinking water sources.