Threat Modeling - A Brief History and the Unified Approach at Intuit

Explore the evolution and unified approach of threat modeling at Intuit in this 40-minute conference talk from AppSecEU 2014. Gain insights into the software design analysis method that identifies security weaknesses by comparing software design views against potential attackers. Learn about Intuit's journey from STRIDE-based methodology to the Unified Threat Modeling approach, developed in collaboration with Cigital. Discover how this new method addresses previous drawbacks, including time constraints and difficulty in modeling various threat agents. Understand the key components of Unified Threat Modeling, such as asset identification, attacker profiling, and control documentation. Examine the application of this approach to both software architecture and system deployments through System Threat Modeling and Protocol Threat Modeling techniques. Benefit from the expertise of speakers Scott Matsumoto, Principal Consultant at Cigital, and Tin Zaw, Staff Software Engineer at Intuit, as they share their experiences and insights on improving software security through effective threat modeling practices.