A penetration test six weeks before launch can't fix architectural insecurity. Threat modelling at design time is the practice that prevents the bug — not the test that finds it. Here's how we run it.
