Trike
Credit: https://www.octotrike.org/images/octotrike_logo.png Sparked from a question on our public discord channel https://discord.gg/HeHuehh What does GRIMM's threat modeling process look like? Is it only used in the design phase of the Software/System Development Life Cycle (SDLC), or can it be applied to systems already in production? We use the Trike methodology on account of it's friendliness to people who are not security experts. Like most threat modeling methodologies, it is most efficient when it's used even earlier than design: at requirements phase of the SDLC. When there are requirements like "no need to set up an account" and "make sure user-entered data is kept confidential" it is really difficult for anyone to implement that in a way that isn't going to surprise some of the business people down the road. What information are we talking about here? Does this include things like usernames, or is it just things like email add...