How threat modeling at Raiffeisen Bank International became ingrained in software development

Threat modeling has become a central aspect not only of RBI’s security posture, but also its process of product development across wider areas of the business. Whereas in the past, the security team would be tasked with identifying flaws once software had already been developed, threat modeling has now become an ingrained part of the product development process from the beginning.

The outcomes...

Identifying and prioritizing requirements
Synchronizing implementations and tracking
Reducing time-consuming audit processes

The biggest business benefits from our engagement with IriusRisk, particularly from a senior leadership perspective, have been the overall security improvements. The value is twofold: first, the direct improvements to products through threat modeling, but also the knowledge gained by product teams in the process. During our first applications of threat modeling using IriusRisk, we needed to screen through all threats and implement extensive countermeasures.

However, as time goes on, we have seen product teams’ security awareness increase, and by applying their learnings from the IriusRisk Threat Model, they are considering security much earlier in the design process. This heightened security awareness is a result of the structured and consistent content provided by the broad application of IriusRisk across the business.

Wolfgang Hausner

Expert Security Manager, Raiffeisen Bank International