FAIR STRIDE – Building Business Relevant Threat Models for AppSec

Management (801B) October 5, 2022 10:15 am - 11:15 am Feedback     

Bookmark and Share

Arthur Loris

Have you ever wondered what the ROI is on a security control? Or whether you should spend time fixing 2 highs or 47 mediums? FAIR STRIDE is a method for creating application threat models that can answer these questions by feeding the output from STRIDE into a quantitative risk model like FAIR rather than a CVSS score calculator. This approach enables us to express the output of a STRIDE threat model for an application in projected dollars lost instead of a set of high, medium, and low severity threats. We will discuss how to use the output of such a model to inform strategic planning, justify investment in security controls, and define a roadmap towards scalable risk reduction for a product.