Culture and Org. -> Design: Conduction of simple threat modelling on business level
Risk and Opportunity
Risk: Business related threats are discovered too late in the development and deployment process.
Opportunity: Threat modelling of business functionality is performed during the product backlog creation to facilitate early detection of security defects.
Exploit details
Usefullness: Medium
Required knowledge: Low (one discipline)
Required time: Medium
Required resources (systems): Very Low
OWASP SAMM 1 Mapping: TA1-A
ISO27001:2017 Controls Mapping:
- not explicitly covered by ISO 27001
- may be part of risk assessment
- 8.2.1
- 14.2.1