Our past blog posts have covered why organizations need to implement threat modeling and make it an ongoing process, versus treating it as a one-time exercise, and also how IT executives, along with other key stakeholders, benefit from a scalable and repeatable threat modeling practice. Over the past few years a handful of methodologies and approaches to threat modeling have been adopted by a variety of large organizations, while others are now attempting to establish their own threat modeling process. In this post, we’re highlighting five characteristics that make a threat modeling practice successful.
The output of most threat modeling methodologies generates unwieldy paper trails and with threat data changing frequently, it is problematic to keep information current. In addition, collaboration between key stakeholders is stifled, since manual documentation provides no mechanism to enable ongoing interaction between stakeholders. The output also includes a multitude of Data Flow Diagrams (DFDs), along with instructions that offer a “one-size-fits-all” format for various stakeholders, from executives, to security team members, to developers.
An efficient threat modeling process should provide actionable output automatically to stakeholders at all business and technical levels, tailored to their specific areas of responsibility, along with the ability to keep up-to-date with the continually changing threat landscape. Actionable output, along with real-time collaboration, promotes secure application development consistently across the board at every step along the way, while meeting security policy and governance requirements.
Actionable output should minimally include:
- A rolling list of top 10 threats, so key stakeholders can focus on the most critical data exposure at all times, calculate costs tied to mitigation, and prioritize mitigation efforts accordingly,
- Abuse cases and security requirements for developers and security operations teams to provide a road map for writing secure code and guidelines to harden the infrastructure, and
- High value targets and data exposure identifying entry and exit points that require mitigation.
IT executives often get caught up in the process of “checking boxes” in order to demonstrate compliance and regulatory mandates have been met, while losing sight of the actual costs and negative impact to their business should a breach occur. Aligning application security risk and risk-mitigation with business priorities and being able to communicate the basis of those decisions to not only senior executives and board members, but also to other key stakeholders in order to secure the resources needed to manage risk, potential costs, and brand damage is a fundamental characteristic of any successful threat modeling program.
A business-centric approach to threat management requires IT executives to:
- Understand the business impact to an organization if certain threats are carried out,
- Collaborate with internal security teams to provide guidance and help prioritize threat mitigation efforts in terms of business risk, and
- Align mitigation strategy and budgets with application risk exposure to minimize risk.
Keeping business focus at the forefront not only requires ongoing input and direction from executive management, but also necessitates the need for a collaborative platform to enable all stakeholders in the SDLC to interact with one another in real-time, including software architects, developers, software testers, security analysts, project managers, security experts, etc.
The optimal time to perform threat modeling is when a software program or a computer system is being designed. However, most threat modeling solutions do not provide the automation, flexibility, precision, or thoroughness required to keep pace with the rapid changes that typically occur during the design phase. Without an automated approach in place, the design phase requires a disproportionate amount of testing, debugging, and reprogramming take place, in an effort to eliminate vulnerabilities before a software program or system is moved into production.
To perform predictive threat modeling during the design phase, you need to:
- Continually identify new threats that surface and apply the appropriate mitigating controls,
- Prioritize mitigation efforts by determining which threats pose the highest risk, and
- Verify threats have been mitigated prior to moving software programs or systems to production.
While predicting where threats and security flaws exist in the early stages of the SDLC to minimize risk is an essential element of effective threat modeling, the benefit of doing so should not be limited to the quality of code that is written, but should also result in lower development costs. By integrating predictive threat modeling during the design phase, it also reduces the high costs associated with fixing production vulnerabilities.
Integration with Real-time Threat Intelligence
Most threat modeling methodologies available today are not only manually intensive and inefficient, but are also unable to integrate with other tools and technologies. Modern development environments like Agile, where new features are constantly being added during “short sprints” and software applications are required to run on platforms that change frequently, only serve to compound the issue by continually expanding attack surfaces.
Equally important, new threats are constantly surfacing and attackers are becoming more sophisticated, so how can organizations keep pace with the ever-changing threat landscape and how can mitigation efforts be prioritized in the most effective way?
Integrating threat modeling with real-time threat intelligence allows you to:
- Gauge the potential impact of a breach by relying on statistical analysis of real-world attacks, where specific threats have been carried out in your industry vertical,
- More accurately assess the business and technical impact to your organization should a given threat be carried out, and
- Keep the most critical data exposure current and provide a foundation to align budgets with overall mitigation strategy.
It is widely recognized that most threat modeling processes and methodologies are time consuming, not repeatable, generate cumbersome paper trails with built-in obsolescence, are unable to correlate threat intelligence with organization-specific attacks, and cannot keep threat models current with the continually changing threat landscape.
A scalable, automated, repeatable threat modeling process is able to:
- Track all threats across 100s or even 1000s of an organization’s applications and keep threat data current,
- Enforce consistency enterprise-wide by allowing pre-defined security requirements to be applied to all re-usable application and system components, and
- Provide real-time collaboration between all stakeholders to keep threat modeling processes in synch.
While various threat modeling and secure development methodologies, processes, and practices have been developed and adopted in the marketplace over the past several years, establishing clear objectives and metrics to measure their success and calculate a ROI has been challenging. The five characteristics of a successful threat modeling practice identified here not only provide a baseline for measuring the progress of a threat modeling program, but they also establish a foundation to effectively align budgets with application risk mitigation.
ThreatModeler™, MyAppSecurity’s flagship offering, is the industry’s first automated, scalable, and repeatable threat modeling product. Please contact us to learn more about ThreatModeler™