Skip to main content

What threat modeling methodology most aligns with your threat modeling beliefs?  STRIDE, PASTA, OCTAVE, VAST, other?

For me, I think a hybrid approach that centers around the VAST methodology most closely aligns with how I like to approach threat modeling. I favor VAST because it focuses on the entire SDLC lifecycle and supports a scalable solution. The 3 pillars of VAST are automation, integration, and collaboration. Using VAST, you can create a holistic view of the entire attack surface, which enables enterprises to minimize their overall risk.

What is your approach to threat modeling?

 

I'm all about the hybrid approach too, and VAST seems like the perfect fit for me. The emphasis on automation, integration, and collaboration really resonates with how I believe threat modeling should be. It's not just about finding vulnerabilities; it's about looking at the big picture and minimizing risks throughout the software development lifecycle. VAST definitely has its sights set on the right goals!


VAST, Visual, Agile, Simple Threat modeling methodology is the way of the future. VAST enables non-security folks to efficiently achieve “secure by design” applications that scale across the enterprise. The pillars of VAST bridge the developers and security architects to work together. 


The choice of threat modeling methodology depends on the specific needs and goals of an organization. VAST, with its focus on automation, integration, and collaboration, is indeed a comprehensive approach that can be effective for many organizations, particularly those looking to align threat modeling with the entire software development lifecycle. Other methodologies like STRIDE, PASTA, and OCTAVE have their own strengths and may be more suitable for different contexts. Ultimately, the choice of methodology should align with an organization's unique requirements and resources.


VAST encompasses much of the most important parts of the other methodologies but emphasizes automation. Automation allows threat modeling to be scaled to encompass the entire enterprise, ensuring that threats are identified, evaluated, and prioritized throughout. 


Reply