Managing threat libraries with distributed teams

‍
One of the keys to scaling Threat Modeling across an organisation is to create a standard library of Threats and Countermeasures that can be used by many different teams. Working with a single, relatively small library is quite straightforward but as your teams grow, and the number of technologies in use increases, it becomes necessary to create multiple threat libraries maintained by different teams, whilst also maintaining their availability for use across the organisation.

For management purposes, it’s useful to keep threat libraries domain-specific. For example, creating a distinct OWASP ASVS library for all web-related content and a separate EU GDPR library means that two distinct teams with expertise in each of those areas can work on their library independently. This is great for allowing distributed teams the freedom to work independently on their threat library – and to own and maintain that library. But all of those libraries ultimately need to be embedded into a single threat modeling platform like IriusRisk. This means some degree of coordination between the teams when publishing and updating their libraries.

IriusRisk’s own internal security team has published a guide on how to manage this process. While the article is specific to IriusRisk and its use of XML files for library content, the same principles can be applied to other threat modeling tools – if they allow import and export of their library content. Happy collaborating!

‍