« Twitter-enabled Information Disclosure in Sports | Main | Floors and Ceilings »



I agree the primary purpose should be the appropriate selection of controls. Threat modeling is a heuristic nothing more.


What about code that is already in production? It seems difficult to threat model things that are already running business critical processes.

The comments to this entry are closed.