Adopting threat modelling in agile software development projects

Abstract The goal of secure software engineering is to create software that keeps performing as intended, even when exposed to attacks. Threat modelling is considered to be a key activity to reach this goal, but has turned out to be challenging to implement in agile teams. This paper presents results from four different studies, in which we have investigated how agile teams do threat modelling today. Study A is based on observations and document analysis from five teams in a single organisation, Study B is based on interviews with eight individuals from four different organisations, Study C is based on a questionnaire survey of 45 students at two different universities, and Study D is based on interviews with seven teams in a single organisation, supplemented with document analysis. Our results include findings, challenges and current good practice related to the use of Data Flow Diagrams, STRIDE and the Microsoft Threat Modelling Tool. We also cross-check our findings with previous relevant work, and provide recommendations for making the threat modelling activities more useful to agile teams.