What's the single most impactful step you can take to improve the security of your applications and your application development process?

Let me answer that question with another question.

How can you hope to improve the security of your applications if you don't first understand the assets you are trying to protect and the threats that can be leveraged against those assets?

It's a common mistake we see far too often, tackling the application security "problem" without first understanding what it is. Many tools and application assessment services use a one-size-fits-all approach. Treating security like an assembly line is good for cost savings but are you getting the ROI you think you are getting?

Is your business the same as every other business out there? If not, why would your assets and threats be the same? What do you need to consider in order to reduce your unique application security risks? Most businesses don't understand the assets they need to protect nor do they understand the unique threats that could be used against them.

If you've gotten this far, you've probably already figured out the answer to my first question. Threat modeling is the most important step you can take to reduce your application security risks. Every other step you take will use this initial asset and threat analysis as a foundation and starting point.

Why are you designing in that security mitigation? Because it's protecting a high priority asset. Why are you writing defensive code in that module? Because it counters a high priority threat.

It's not possible to close every vulnerability or protect every line of code, so it's important to focus on critical assets and the most impactful threats. That's how you get application security ROI, not though a one-size-fits-all tool or service.

When I was involved in the creation of STRIDE and DREAD back in 1999 we were trying to solve an important problem: creating an effective but simple way to categorize threats and vulnerabilities and rank their priority. An entire methodology of threat modeling and secure SDLC activities sprung from that humble beginning. If you would like to learn more about my thoughts on the next generation of these techniques and how to apply them to reduce your application security risk, the paper can be downloaded here.

Software Threat Classification