Business-relevant Application Threat Models
Historically, there has been a disconnect between what security engineers see as risks or threats and how these risks are perceived by business leaders. FAIR STRIDE is a novel approach to driving strategic initiatives with business-relevant application threat models.
Mikko Hyppönen pointed this out concisely during his keynote at RMISC 2019 by stating: “In security, when we do our jobs right, nothing happens.” In reality, this is not the case, but we have to observe the situation through a lens that can bring a security program’s value to light. In the scope of application security, the disconnect happens when security engineers express the impact of vulnerabilities on systems and applications, rather than their impact on the business itself.
On the one hand, an application security team enables the business to sell trustworthy products, usually by fulfilling compliance frameworks like SOC2 or ISO 27001. On the other hand, when security teams do their jobs right they prevent monetary losses from being inflicted on the company without slowing down the business.