"A critical part of Web application security is mapping out what's at
risk — a process called threat modelling. The term "threat" modelling
is actually a misnomer. It's more like "vulnerability" or "risk"
modelling, since we're technically looking at weaknesses and their
consequences — not the actual indication of intent to cause disruption
(a threat).
Semantics aside, threat modelling — even at a high level —
needs to be on your radar and part of your development process if Web
application security is important to your business. Think about it.
There's a lot happening within your Web applications that you may not
be aware of. It's really easy to fall into the trap of assuming all's
well in Web-land as long as the basics of a firewall, SSL, and strong
passwords are in place. This dangerous assumption boils down to not
really knowing what's at risk. It's the bane of information security
today.
Let threat modelling help fill the gaps. It really does work. Here are the essential steps for getting started: "
Article Link: http://searchsecurity.techtarget.com.au/topics/article.asp?DocID=1306902
