Update Threat_Modeling_Cheat_Sheet.md

[sebob]

With reference to the discussion
#1431

Thank you for submitting a Pull Request (PR) to the Cheat Sheet Series.

🚩 If your PR is related to grammar/typo mistakes, please double-check the file for other mistakes in order to fix all the issues in the current cheat sheet.

Please make sure that for your contribution:

• In case of a new Cheat Sheet, you have used the Cheat Sheet template.
• All the markdown files do not raise any validation policy violation, see the policy.
• All the markdown files follow these format rules.
• All your assets are stored in the assets folder.
• All the images used are in the PNG format.
• Any references to websites have been formatted as [TEXT](URL)
• You verified/tested the effectiveness of your contribution (e.g., the defensive code proposed is really an effective remediation? Please verify it works!).
• The CI build of your PR pass, see the build status here.

If your PR is related to an issue, please finish your PR text with the following line:

This PR covers issue #.

Thank you again for your contribution 😃

[kwwall]

Overall, I think this is fine, as it is important to be honest with development teams. However, my critique is that for the first 3 paragraphs, it may be enough for some to give up reading before they make it to the 4th paragraph.

So, I propose swapping the order of the headers at lines 91 and 93 so that it looks like:

## Threat Modeling and the Development Team

### Challenges

and then at line 101, insert a new header:

### Addressing the Challenges

so they don't give up hope before coming to proven approaches ethat would work.

I think it would also be a good idea of recommending they start small, e.g., maybe on a new feature that's being added rather than trying to threat model all of their system from the get go. And emphasis that it needn't be perfect. They are going to miss some threats, but doing a threat model at all will create a mindset in the development teams and often that's just important as having a solid threat model.

[sebob]

@kwwall done :)

[mackowski]

LGTM!

[szh]

One nit, otherwise LGTM

[szh]

Suggested change

To change the current situation, organizations should invest in regular IT security training for their development teams. These training sessions should be conducted by experts and tailored to the specific needs of the team. Additionally, it is beneficial to implement processes and tools that simplify and automate threat modeling. These tools can help in identifying and assessing threats, making the process more accessible and less time-consuming.

To change the current situation, organizations should invest in regular application security training for their development teams. These training sessions should be conducted by experts and tailored to the specific needs of the team. Additionally, it is beneficial to implement processes and tools that simplify and automate threat modeling. These tools can help in identifying and assessing threats, making the process more accessible and less time-consuming.

[kwwall]

@sebob - I'd mark this conversation as 'resolved' but if i did, the one word change (which I agree is a better fit; most developers think of phishing awareness training when you mention 'IT security training' to them) that @szh suggested might get lost. But I agree, this looks good.

[kwwall]

Changes approved. LGTM.

[kwwall]

@sebob - I'd mark this conversation as 'resolved' but if i did, the one word change (which I agree is a better fit; most developers think of phishing awareness training when you mention 'IT security training' to them) that @szh suggested might get lost. But I agree, this looks good.