The essentials of Web application threat modeling

A critical part of Web application security is mapping out what's at risk -- a process called threat modelling. The term "threat" modelling is actually a misnomer. It's more like "vulnerability" or "risk" modelling, since we're technically looking at weaknesses and their consequences -- not the actual indication of intent to cause disruption (a threat).

Semantics aside, threat modelling -- even at a high level -- needs to be on your radar and part of your development process if Web application security is important to your business. Think about it. There's a lot happening within your Web applications that you may not be aware of. It's really easy to fall into the trap of assuming all's well in Web-land as long as the basics of a firewall, SSL, and strong passwords are in place. This dangerous assumption boils down to not really knowing what's at risk. It's the bane of information security today.