Rolling Meadows, IL, USA (19 March 2018) — The second installment in ISACA’s latest Perspective series features expert commentary from Adam Shostack, discussing the importance of security engineering and threat modeling in the enterprise.
In his Perspective article Reasonable Software Security Engineering, Shostack urges enterprises to reevaluate their current software security development practices and to ground them in an engineering environment, with an emphasis on learning.
“Security engineering is a big, complex topic, and there’s a lot of advice out there on how to do it,” said Shostack. “But investment in security engineering pays off.”
Shostack sets up the discussion around security engineering programs by asking three questions:
- Is my program comprehensive?
- Is it structured?
- Is it systematic?
Comprehensive programs cover all security details an organization might go through, while structure and systematic programs are closely related. After taking a closer look at each strategic approach, Shostack reminds readers that a structured, systematic and comprehensive approach must be grounded in software engineering. Once that is in place, organizations can look to creating a fuller secure development lifecycle (SDL or SDLC), customized to their unique needs.
Shostack goes on to discuss getting started on an SDL or SDLC, which requires managerial and technical proof points which can be found in fuzzing and threat modeling, with an emphasis on threat modeling. Threat modeling includes a set of structured techniques to address four key questions about a project:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good job?
According to Shostack, threat modeling is the core of security engineering, enabling organizations to know if they are being comprehensive and systematic, and it brings users back to the basics.
Reasonable Software Security Engineering is available now as a complimentary download for members and non-members at www.isaca.org/shostack-perspective.
Nearing its 50th year, ISACA (isaca.org) is a global association helping individuals and enterprises achieve the positive potential of technology. Today’s world is powered by technology, and ISACA equips professionals with the knowledge, credentials, education and community to advance their careers and transform their organizations. ISACA leverages the expertise of its half-million engaged professionals in information and cyber security, governance, assurance, risk and innovation, as well as its enterprise performance subsidiary, CMMI Institute, to help advance innovation through technology. ISACA has a presence in more than 188 countries, including more than 215 chapters and offices in both the United States and China.
Michelle Micor, +1 .847. 385.7217, firstname.lastname@example.org
Jay Schwab, +1.847.660.5693, email@example.com