V1 - Secure Development - Verify use of threat modeling for applications in IoT ecosystem about iot-security-verification-standard-isvs HOT 5 CLOSED

Agreed. Modifying 1.1.3 might be the best way forward. Perhaps with the following?

Verify the use of threat modeling for every product introduction design (i.e. new and mature), security-critical feature change, or sprint planning to identify threats, plan for countermeasures, facilitate appropriate risk responses, and guide security testing.

from iot-security-verification-standard-isvs.

Yes, that sounds good to keep the control in 1.1.3 would suggest to keep it a bit shorter:

Verify the use of threat modelling for each design or security-critical product feature change to identify likely threats and facilitate appropriate risk responses and to guide security testing.

Opened PR for review to change 1.1.3: #31

from iot-security-verification-standard-isvs.

I think it's important to use "product introduction' since it's one of the earliest stages in a product's lifecycles ( i.e. new product introduction (NPI)) where security teams may have feedback and provide influence. It does make it a bit longer but captures key use cases to threat model and how that feeds into testing.

Revised requirement:
Verify the use of threat modeling as part of each product introduction design (i.e. new and mature) and security-relevant feature changes to identify likely threats and facilitate appropriate risk responses to guide security testing.

from iot-security-verification-standard-isvs.

Yes, that's makes sense to add this then. I've included this in the PR and updated the revised version (including using the correct AE spelling of threat modeling :))
Pull Request: https://github.com/OWASP/IoT-Security-Verification-Standard-ISVS/pull/31/files

from iot-security-verification-standard-isvs.

Merged! Thank you 🙏

from iot-security-verification-standard-isvs.