Threat modeling is one of the earliest things you can do to improve the security of software. Before a single line of code is written, our skilled professionals can help you discover serious security and privacy problems using threat modeling techniques. This will help you avoid costly alterations to the features or architecture in later phases of software development, and help you avoid making insecure integrations with third-party services.
Our threat modeling approach combines several threat modeling techniques, such as discovering architecture threats with STRIDE, privacy threats with LINDDUN, and feature-related weaknesses with evil user stories. We always consider both the technology as well as the processes, such as maintenance and account management, behind the system. Depending on the size of the application or system, we will arrange one or several threat modeling workshops, where our threat modeling experts facilitate the initial discovery of threats together with software developers, testers, product owners, and other required stakeholders.
Threat modeling will help you find weaknesses early and discover threats from processes that cannot be assessed with security assessments or penetration tests. Threat modeling also helps you scope the most critical things to test with security assessments or penetrations tests. With our threat modeling service, you will get:
- A threat analysis report with discovered threats, possible consequences, and recommended mitigations.
- Risk estimates for the discovered threats. The risk estimation is done together with your organization's relevant business stakeholders.
- Insight into the security status of the system in a relatively short time.
Threat modeling can be applied to both the software and services you are developing or which you are planning to purchase. We can also analyze threats from processes, such as a software development pipeline, or from larger systems or business functions. Contact us for more information.
Social Engineering
Sometimes adversaries choose to attack human weaknesses instead of the technical equipment to launch a cyberattack against an organization. This type of attack is known as social engineering. Our approach to educating your personnel to defend against social engineering is to combine classroom training, computer-based courses, and a gamified exercise. Some or all of these components make up the training that increases resilience against social engineering.
Read more