October 14, 2016

Threat Modeling Methodology

Security professionals have put forth various threat modeling methodologies over the years. The intent of each of these is to provide mitigating security controls proactively for identified potential threats. The various methodologies have each promoted a particular emphasis – reducing overall organizational risk. However efficacious each one may be for the authors’ particular focus, each traditional threat modeling methodology has their its pros and cons, but the fact is that they still haven’t been able to provide the full potential of threat modeling, making them ineffectual for enterprise-level threat modeling.

Threat Modeling Methodology

A New Approach is Needed

The authors of the Visual, Simple, and Agile Threat modeling methodology (VAST) set out to address these limitations. The result was a methodology, organically developed from the evolving discipline of threat modeling, for both large and medium organizations. A threat modeling process based on the VAST methodology can scale across an organization’s entire DevOps portfolio – while supporting their existing Agile methodology. This may include hundreds or even thousands of threat models.

The automaticity and repeatability inherent with VAST mean organizations receive consistent, concrete, actionable output regardless of who creates or updates the threat models. Moreover, the methodology enables all SDLC stakeholders – DevOps teams, security teams, and senior executives – to effectively collaborate on the individual application as well as the organization’s entire application portfolio.

Paradoxically, since earlier threat modeling methodologies are inherently security-team driven, they also limit the security team’s ability to influence the adoption of necessary security controls organization-wide. This is due, in no small part, to the traditional methodologies’ dependency on data flow diagrams (DFD). DFDs are high-level abstractions of how data is moved, stored, and manipulated by an application operating within an IT system. By their very nature DFDs require subject matter experts for their creation, interpretation, and application. That makes the value of threat modeling incommunicable to two-thirds of the SDLC stakeholders.

Furthermore, traditional methodologies focus only on single application threat models. As such they have no capacity to identify threats that arise from application interactions, nor can they be used to develop a comprehensive view. However, development teams need security requirements relative to the highly interconnected environment in which applications operate. Senior executives, as well as security professionals, need real-time, data-driven awareness of the organization’s overall threat profile, the ability to develop a comprehensive attack surface analysis, and capacity to predict the business and technological impact of emerging threats across the organization.

Unique Features of the VAST Methodology

The VAST methodology divides threat models into two types – application threat models and operational threat models. Application threat models are visually constructed using process flow diagrams and focus only on the application under analysis. A process flow diagram analyzes the application in much the same way as developers think about applications during design and coding, in terms of features, communication protocols, and coding blocks. Process flow diagrams allow application architects and developers who are most familiar with the design specifications and modification requirements to build and modify application threat models. This has the added benefits of threat models integrating seamlessly with the developer’s existing workflow and toolchain, as well as enhanced acceptance of threat modeling and adaptation of the threat modeling outputs.

Operational threat models, on the other hand, provide end-to-end data flow diagrams which are more concrete and practical than their DFD cousins. Constructing an end-to-end data flow diagram starts with identifying all the components – whether isolated or shared hardware, software, 3rd party elements, or even users – involved in an IT system the communication protocols each element has with other specific elements. The resulting operational threat model is a contextualized communications map that can easily be understood, created, or modified by operational team members.

By dividing threat models into specific types and removing the dependence on subject matter expertise for their creation and modification, different DevOps teams working within Agile methodologies can receive the actionable output they need without breaking their established target strides. DevOps teams drive the threat modeling process – which increases the effectiveness of the security team to establish and enforce security policy throughout the entire application portfolio. Security teams can perform a comprehensive attack surface analysis and know exactly if and how a new emergent threat is relevant to the organization, drilling down to the potential threat’s entry point(s). This allows managers to evaluate the benefits and returns of their threat modeling initiative, set risk policy, and better maintain their overall ERM strategy.

Why VAST is the Right Threat Modeling Methodology

The VAST methodology is the right methodology for enterprise-level organizations seeking the benefits of threat modeling:

  • VAST is Agile. It is the only threat modeling methodology specifically designed to integrate seamlessly with DevOps’ existing workflow using an Agile Methodology. Every other threat modeling methodology, having borrowed heavily from system engineering concepts of the 1970s and other pre-existing disciplines, requires significant documentation, endless non-production cross-discipline meetings, security subject matter expertise, and additional layers of work. A DFD-based threat model takes at least 40 – and as many as 120 – resource hours to complete before the secure coding requirements or security requirements checklist can be communicated to the DevOps team. A threat model based on the VAST methodology, on the other hand, can be completed in about an hour or in parallel with the design phase. The appropriate security requirements are thereby immediately available to the DevOps team as they move into the development or installation phase.
  • VAST is Scalable. Traditional threat modeling methodologies are resource intensive – a single resource might be able to complete 20 – 30 application threat models in a year. VAST allows organizations to scale their threat modeling process to include hundreds or even thousands of new threat models – including modifications and updates – each year without a substantial increase in security or DevOps resources.
  • VAST is Repeatable. Traditional threat model methodologies yield different threat model results depending on the person or team creating them because they are based on highly abstract data flow diagrams. The VAST methodology generates threat models that are very consistent because they are based on process flow diagrams. Each threat model thereby produces concrete, consistent, and actionable output for all stakeholders regardless of the individual or team that created it.

Which Threat Modeling Methodology will You Choose?

Choosing the proper threat modeling methodology for your organization depends on the scope of the initiative, the outputs required, and the resources available for investment. Some threat modeling methodologies yield security-driven processes. The VAST methodology, on the other hand, is the first threat modeling methodology designed, to be driven by the various DevOps teams.

The underlying principle is providing organizations with the ability to scale their threat modeling process across hundreds or even thousands of threat models while seamlessly integrating with existing Agile methodology workflows and toolchains. The VAST methodology develops concrete, consistent, actionable outputs for DevOps teams, security personnel, and senior executives by starting with the understanding that the needs of developers are unique from the needs of the infrastructure team.

The VAST methodology is designed for scalable, enterprise-level automation at a variety of process maturity levels. ThreatModeler™ is the first tool to take advantage of the benefits of the VAST methodology.

Contact us for a FREE CONSULTATION to discuss how a scalable, enterprise-level threat modeling process can benefit your organization.