Threat modeling or baseline reporting to assess an application's security posture

teancum144teancum144 Member Posts: 229 ■■■□□□□□□□
I ran across a question worded similarly to the following:

For an application that has never had a security assessment, which of the following is the best assessment technique to identify the application's security posture:
a) Baseline reporting
b) Protocol analysis
c) Threat modeling
d) Functional testing

I narrowed it down to "a" or "c". I understand baseline reporting, but was less clear on threat modeling.

According to the Conklin/White book: threat modeling is a communication tool that details how the software can be attacked by an adversary, giving the entire design and development team a chance to see how their design and implementation could be attacked, so that vulnerabilities can be closed or mitigated.

According to Darril Gibson's book: threat modeling is a process that helps an organization identify and predict threats against an application using likelihood and impact. Threat modeling can improve the security posture of any application.

Based on the above, I selected "c", but the answer is "a". Thoughts?
If you like my comments or questions, you can show appreciation by clicking on the reputation badge/star icon near the lower left of my post. :D


  • DarrilDarril Member Posts: 1,588
    It's difficult to get inside the head of a question writer's mind without an explanation from the writer. However, here's what I see.

    The goal is "to identify the application's security posture" which indicates it's current state. Baseline reporting documents normal system performance which would be its current state. Another hint is "never had a security assessment" indicating a baseline was never created.

    In contrast, threat modeling for an application would be done before the application is developed, at least in a perfect world. The goal is to identify potential threats so that they can be mitigated before the application is released.

    Hope this helps.
Sign In or Register to comment.