Application Threat modeling is a structured and methodical approach that allows you to identify potential threats to applications, classify them by risk, and prioritize mitigation efforts based on the technical and business impact these threats pose to your organization, should they be carried out. Threat modeling is rapidly gaining momentum and in this post, we summarize the history of threat modeling, how it has evolved, and the direction it is heading.
Application threat modeling began as an ad hoc process to identify threats during the requirements gathering stage and incorporate them into the application design documentation. It was treated as a one-time exercise carried out in the early stages of development or in some cases, after an application was moved to production. The threat modeling output from this process resulted in burdensome reports with built-in obsolescence, due to the many changes in requirements that normally occur during the software development lifecycle (SDLC).
In addition, threat modeling required highly specialized subject matter experts with in-depth knowledge of software architecture and application security, which not only was costly and cumbersome for organizations to try to implement, but also proved to be a challenge finding qualified security professionals with these specialized credentials. Plus, the lack of automated tools created internal disruption, as organizations attempted to manually integrate threat modeling processes into existing workflows.
The concept of threat trees was introduced by Dr. Edward Amoroso in 1994 in his book Fundamentals of Computer Security Technology. In 1999, Bruce Schneier proposed the use of attack trees in Dr.Dobbs journal for developers to promote the concept of modeling threats diagrammatically. Subsequently, to complement the STRIDE threat classification methodology, Microsoft introduced its Data Flow Diagram (DFD) based approach to threat modeling, by launching the first version of its public domain software, Microsoft Threat Analysis and Modeling (TAM) in 2004 (credit to: Frank Swiderski and Window Snyder). The genesis of both STRIDE and Microsoft TAM was a consequence of Microsoft’s “Trustworthy Computing Memo” authored by Bill Gates in 2002, which outlined the process required to build secure applications. Microsoft Software Development Lifecycle (SDL), replaced Microsoft TAM in 2011, and more recently, Microsoft launched its successor, Microsoft Threat Modeling Tool (TMT), in March of 2014.
Trike was introduced as an open source threat modeling methodology and tool introduced in 2006, in an effort to improve the efficiency and effectiveness of existing threat modeling methodologies. While Trike was similar to the Microsoft threat modeling process, it differed in that it offered a risk- based approach with distinct implementation, threat, and risk models. However, it remains in an experimental stage, with inadequate documentation and support, making it difficult to understand and implement.
Many larger organizations gravitated to Microsoft’s early approaches to threat modeling, largely because its public domain software was the only tool available, since no commercial threat modeling products had yet been introduced into the marketplace. And while the threat modeling concepts being promoted by Microsoft were useful from a theoretical standpoint, there were many challenges to implementing these processes in large enterprises. Neither Microsoft TAM nor Microsoft SDL were able to deliver the scalability needed in large enterprise environments, required subject matter experts, were time consuming and tedious to implement, lacked meaningful output, and did not allow for real-time collaboration between stakeholders.
While organizations were beginning to understand the inherent value of threat modeling, the many challenges identified above hindered its adoption, limiting its use to a handful of organizations that had the resolve, determination, resources, and perseverance to try and deploy it in their ongoing development processes.
With the widespread use of the Agile development methodology, changes now occur at a much more rapid pace during all phases of the SDLC than in years past. This evolution, coupled with the heightened focus of organizations wanting to build security into applications during the SDLC, have made the implementation of traditional threat modeling approaches even more difficult, time consuming, costly, and inefficient.
P.A.S.T.A. (Process for Attack Simulation and Threat Analysis), a new methodology recently introduced, has gained a following through its ability to threat model applications more thoroughly and can also be applied to a wide variety of development methodologies. Several organizations in the financial services, healthcare, insurance, and the energy sectors have been the primary adopters of this approach, as these industry verticals have begun to extend the scope of their budgets that were traditionally used for code reviews, vulnerability assessments, and penetration testing, to now include threat modeling. The trend of expanding and/or shifting budgets to incorporate threat modeling has largely been driven by the realization that writing secure code from the ground up is not only a much more effective risk mitigation strategy, but it also reduces the high cost of fixing production vulnerabilities. And while threat modeling continues to mature, most organizations that perform threat modeling today are predominately using in-house, patchwork methodologies, along with outside security consultants, due to a lack of automated tools and widely accepted industry standards.
Because most application threat modeling methodologies and frameworks lack automation, they are unable to scale across large enterprises. This limitation has resulted in organizations continuing to rely heavily on security consultants to deliver customized services, in order to implement a threat modeling process. However, this approach is largely a manual effort that is not only costly, but cannot effectively keep pace with ongoing software and architectural changes, let alone the ever-changing threat landscape. Another obstacle to adoption is the inability to involve key stakeholders in the threat modeling process through real time collaboration. Too often, the primary focus of threat modeling is to address risk exposure from an engineering and technical perspective, while losing sight of the actual costs and negative impact to a business should a breach occur. Until organizations are able to consistently align application security risk and risk-mitigation with business priorities to manage potential costs and brand damage, threat modeling will continue to be viewed as a largely theoretical exercise.
Looking forward, threat modeling should be capable of automatically and accurately pinpointing where threats exist and provide clear actionable output, such as recommending the appropriate security controls, presenting test cases, displaying attack trees, etc., to ensure threats are mitigated in the most effective way possible. In addition to identifying threats, threat modeling should also provide a way to calculate both the technical and business impact to an organization if threats are carried out, and correlate threats to real time threat intelligence to more effectively manage risk based on actual threat data.
Ideally, threat modeling should also be correlated with an organization’s security policy and risk management, in a way that business executives can easily understand application risk, regardless of their level of application security expertise. This will allow senior management, security specialists, and software developers to work collaboratively to more effectively prioritize and mitigate threats.
Contextual, risk-based threat scoring should become an integral component of an effective threat modeling practice as well. Automatically applying key threat factors such as exploitability, discoverability, automation, and the ability to predict the business and technical impact if a threat is carried out will significantly help prioritize mitigation efforts. This can be accomplished through integration with current industry-standard threat scoring systems such as CWSS, CVSS, etc., and/or with custom-built threat scoring classifications, and will be an essential component of an efficient threat modeling process.
Furthermore, threat modeling should also allow organizations to accurately calculate costs associated with mitigation, not only to help prioritize mitigation efforts, but to provide an objective process for aligning security budgets with risk.
In summary, an effective threat modeling program should be able to automatically identify threats, specify the appropriate mitigating controls, provide risk classification metrics to prioritize mitigation, present easy to understand security requirements that can be integrated into the SDLC, keep threat data current, automatically generate reports that are customizable to meet the needs of various stakeholders, and enable a consistent, repeatable, scalable, process that can be implemented enterprise-wide.
With the maturation of application security over the past decade, along with advances in threat modeling methodologies and tools to automate processes, threat modeling is rapidly gaining momentum throughout the marketplace. The days of manual, tedious, time-consuming processes that lacked consistency and repeatability, produced unwieldy paper trails, and required subject matter experts, is being replaced by more straightforward and automated approaches that include contextual, concrete output that provide the necessary details to show how to mitigate risk, even if a user knows little or nothing about security.
Threat modeling is in the process of transitioning from an art to a science though automation and the development of industry-standard best practices. Compliance with security and regulatory laws, coupled with the substantial, tangible cost benefits associated with developing secure applications from the ground up, make it clear that threat modeling will become a widely adopted standard going forward. Above all, building security into applications during the design phase is the optimal way for organizations to mitigate risk.
Edit: This post was updated on 07/03/2014 based on the feedback provided by Michael Howard. The date of MS TAM was corrected and changed to 2004 and a reference to Dr. Edward Amoroso was added to highlight the origins of threat trees.
ThreatModeler™, MyAppSecurity’s flagship offering, is the industry’s first automated, scalable, and repeatable threat modeling product. Please contact us to learn more about ThreatModeler™