I ran across a question worded similarly to the following:
For an application that has never had a security assessment, which of the following is the best assessment technique to identify the application's security posture:
a) Baseline reporting
b) Protocol analysis
c) Threat modeling
d) Functional testing
I narrowed it down to "a" or "c". I understand baseline reporting, but was less clear on threat modeling.
According to the Conklin/White book: threat modeling is a communication tool that details how the software can be attacked by an adversary, giving the entire design and development team a chance to see how their design and implementation could be attacked, so that vulnerabilities can be closed or mitigated.
According to Darril Gibson's book: threat modeling is a process that helps an organization identify and predict threats against an application using likelihood and impact. Threat modeling can improve the security posture of any application.
Based on the above, I selected "c", but the answer is "a". Thoughts?
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post.