Conduct Threat Modeling
Description
Conduct threat modeling. Threat modeling is the process of identifying and addressing application security design flaws within a design, before code is created. It is conducted through specially trained individuals who evaluate the application design and gauge security risks for each entry point and access level. The goal is to map out the application, architecture, and infrastructure in a structured way to understand its weaknesses.
Implementation Checklist
Tool Recommendations
Application security platform with SAST, DAST, SCA, and developer training for secure software development
Veracode · Per-application subscription
Cloud-native application security platform with SAST, SCA, DAST, API security, and supply chain security testing
Checkmarx · Per-developer subscription
Application security testing suite with SAST (Coverity), SCA (Black Duck), and DAST for comprehensive AppSec
Synopsys · Per-developer subscription
Threats & Vulnerabilities (CIS RAM)
Threat Scenarios
Architectural Design Flaw Exploited After Deployment
ConfidentialityAn attacker exploits a fundamental design flaw in the application architecture, such as an insecure trust boundary, that would have been identified during threat modeling but was never analyzed before code was written.
Unidentified Entry Points Leveraged by Attacker
IntegrityAn attacker discovers and exploits an overlooked entry point in the application that the development team did not consider because no structured threat modeling mapped all attack surfaces and access levels.
Costly Post-Deployment Redesign for Security Flaw
AvailabilityA fundamental security weakness is discovered in production that requires a complete architectural redesign, which would have been trivial to fix during design had threat modeling identified it before development began.
Vulnerabilities (When Safeguard Absent)
No Pre-Development Threat Analysis
Without threat modeling before code is written, architectural security weaknesses, insecure trust boundaries, and unprotected entry points are embedded in the design and are costly to remediate later.
Attack Surface Not Systematically Mapped
Absence of threat modeling means the application's entry points, data flows, trust boundaries, and access levels are not formally analyzed for security risks, leaving blind spots in the security posture.
Evidence Requirements
| Type | Evidence Item | Collection Frequency |
|---|---|---|
| Technical | Configuration screenshots or exports showing protection controls enabled | Captured quarterly |
| Document | Procedure documentation for protection measures | Reviewed annually |
| Record | Training completion records and compliance rates | Tracked continuously, reported quarterly |
| Document | Training content and curriculum documentation | Reviewed annually |
| Document | Governing policy document (current, approved, communicated) | Reviewed annually |