* Think like an attacker
* Attacker motivations
* Understanding the attack vectors
* Mapping out all the possibilities
* Collecting data
* Making the data useful and finding patterns
* Identify important security design constraints and controls that need to get built into your software
* Prioritize and build security defenses over time to reduce security risks
* Achieve limited security debt by developing a CWR strategy
* Build an Attack Map
* Build a Crawl Walk Run Strategy