The end of this week marks the downhill side of my final term at Bellevue University. Shortly I will have finished up my Master’s Degree in Cybersecurity. While this is a large accomplishment, my final courses have continued to reinforce that there is always something new to learn. Writing these blog posts is a portion of the assignments for Current Trends in Cybersecurity. The other part of the course deals with threat modeling, something I have little experience with.
Threat Modeling is a concept that requires developers to always study and potentially mitigate threats that their software is susceptible toward. It is an interesting topic and one that has sparked some interest in me. The book and coursework is based on principles established by Microsoft and I have learned a great deal. However, it has also raised several questions for me. The most pressing question is – are startups using threat modeling in their products?
With the startup culture taking over silicon valley and most other development shops across the world, programming practices have changed substantially. Companies now work in sprints, and incubate products quickly to get them out the door. Often times startups refer to their products as minimum viable product (MVP), meaning there are just enough uses for the product that it can be shipped with additional features being added later. This is a great strategy for cash strapped companies to start turning a profit and paying back investors. However, as we look at CES 2018 and other events where every device and gadget is now connected to the internet, I have to question whether everything has been properly vetted and secured.
This topic is nothing new, security analysts have been discussing compromised IoT devices for ages, but it is an important topic. If companies are not focused on security from the start, it can be hard to bolt-on later. Security must come first, even with a minimum viable product.