Data flow diagrams (DFDs) have been the de facto approach to threat modeling in the Information Security profession. As IT development has moved towards rapid iterative modular development and deployment, the flaws that result from using DFDs have become painfully obvious. This white paper looks at some flaws and the advantages of moving to a more mature Process Flow Diagram (PFD) approach to threat modeling as a solution.
Some of the most valuable key points discussed are:
- Engineering security into the early phases of an ever increasingly fast SDLC (proactive) rather than finding flaws to fix at the end (reactive).
- Leveraging PFD-driven threat modeling, including in DevSecOps.
- Using the Visual, Agile, Simple Threat Modeling (VAST) approach.
- Overcoming False Positives, False Negatives and the False Sense of Security characteristic of DFD threat modeling.