Now that we have examined the 30,000’ view, lets start zooming in on specific areas at a 10,000’ view and lower.
One of the defining factors between the 30,000’ and 10,000’ views is when each process is carried out. The 30,000’ should be carried out up front as well as at intervals during product development.
It is my intention that each of these chapters change the way you think about your daily job and even your life outside of work. In order for security to serve its true purpose, it must become part of who you are. This is akin to any expertise. If you want to become effective at something, you must study it, practise it and teach it. The more energy you invest, the more expert you become, until it becomes part of who you are. This is similar to being a martial artist or a proficient musician that has learnt how to break through their plateaus, where they no longer have to think about their forms, it is now part of who they are.
As I am sure you are aware, there are many books and resources devoted entirely to each of the following chapters. At this stage, most of my recent experience has been specific to cloud/VPS, network, and web applications which is covered in Fascicle 1. I cut my teeth as a tester and software engineer in Mobile, but that was from 2002 - 2005. Technology has changed significantly since then, but the mistakes we are still making have not.
Do not think of security as something you can finish, it will never be finished, but you can progressively improve based on the threat modelling approach in this book. Pick off the biggest wins, first with true security agility, this is what I have based my company’s logo on when I realised that the security big picture will never be finished. Just like agile development, agile security is an empirical process. As you learn more, you can start to build a picture of your security posture. From that picture, you can extract pieces of work that need to be done, creating Product Backlog items and ordering them based on the information that is discovered during this threat modelling process.
You may struggle to highlight assets in the first step of the SSM. Just do your best and move on. In most cases you will find that, as you move through the “Identify Risks” and “Countermeasures” sections, you will start thinking of other additional assets. At that point, you can go back and add them.