This survey has been created to get an idea of how threat modelling is currently used in organisations, and what the future of Threat Modelling looks like in a world of DevOps, Agile, Web-Scale and Continuous Delivery.

* 1. How mature is your threat modelling process?

* 2. Which engineering functions are involved in threat modelling?

* 3. If you're not threat modelling, what's stopping you? If you are, what's preventing wider adoption?

* 4. What threat modelling methods do you use?

* 5. Which best describes the benefits you feel threat modelling brings?

* 6. If you could have a new threat modelling tool, which benefits would you like most?

* 7. In this new tool, which features would you prefer?

Steve is a developer and is about to write the function that will manage customers in the AcmeApp database. Steve knows that he needs to use parameterised queries to prevent SQL injection attacks. Before writing a single line of code he writes

// @mitigates Database:Customer against @sql_injection with parameterised queries

A few hours later Steve pushes his changes to git for review. At that exact moment Tash receives a message in Slack stating that the AcmeApp threat model report has changed. Tash is a security engineer and goes to take a look at the newly generated threat model. She sees the new SQL injection mitigation and notices that Steve didn't record the fact that the function writes Personally identifiable information (PII) into the database. She adds a comment to the git pull request and within an hour Steve has updated the commit to include a @transfers statement.

* 8. If the above story describes the use of the new tool, how do you feel about the potential for the tool?

* 9. If you have any comments regarding this survey, threat modelling in general, or continuous threat modelling through code, please let us know! Check out for a prototype open source tool that aims to make continuous threat modelling a reality.

Report a problem