Cybersecurity & Threat Modeling: Automated vs. ManualStephen de Vries and Adam Shostack on How to Approach the Threat Modeling Journey
Cybersecurity threat modeling: automated tools or manual methods? It's not an either-or situation, say Stephen de Vries, CEO and co-founder of IriusRisk, and Adam Shostack, president of Shostack and Associates. Each approach brings unique business value, and they discuss the merits of both methods.
In this exclusive interview with Information Security Media Group, de Vries and Shostack also discuss:
- Why threat modeling is not standard practice in all organizations;
- The unique merits of automated tools and manual methods;
- The first step to take on a threat modeling journey.
De Vries started his career as a C, C++ and Java developer before moving into software security. He’s an active contributor to a number of OWASP projects and has helped FTSE 100 companies to build security into their development processes through threat modeling and integrated security testing.
Shostack is a leading expert on threat modeling and has been on IriusRisk's technical advisory board since its inception. He currently helps organizations improve their security via Shostack and Associates and offers industry-leading threat modeling training. While at Microsoft, he drove the Autorun fix into Windows Update, was the lead designer of the SDL Threat Modeling Tool v3 and created the "Elevation of Privilege" game. Shostack is the author of "Threat Modeling: Designing for Security" and a co-author of "The New School of Information Security."