Three Pillars of a Scalable Threat Modeling Practice

When threat modeling first moved from theory to application in the early 2000s, completing one model for every 40 hours of personnel resource was considered acceptable. However, now that regulatory pressures and financial consequences are pushing threat modeling into the information security mainstream, organizations are discovering the practical limitations of their traditional threat modeling process. They are pressed to develop a scalable threat modeling practice that can handle, not just fifty to sixty models per year, but hundreds or thousands of models which can be updated quickly as applications are updated or whenever a new threat is catalogued.

3 Pillars of a Scalable Threat Modeling Practice

What Scalable Threat Modeling Means to the Organization

As organizations are trying to build their threat modeling practice, security departments are increasingly overwhelmed by the workload. Increasing the information security budget may relieve the pressure – for a short while. The reality, though, is that if the threat modeling process being employed does not scale, security personnel and budgets will be stretched beyond their capacity.

Simply put, a scalable threat modeling practice means that the security personnel can gain effectiveness, efficiency, and momentum with all their efforts – resulting in organizational wide incorporation of security measures. But if each threat model consumes 40 personnel hours of someone with security subject matter expertise, this output will be little more than an unrealized pipe dream, especially in an agile development methodology now mainstream with many development teams.

Furthermore, a threat modeling process that scales across the enterprise enables the security department to sync their efforts with the strategic business objectives discussed in the C-Suite. This, then, drives the implementation of security objectives organization-wide. Security personnel will be able to stop chasing after urgent emergencies, and start systematically implementing organizational long-term initiatives. Obtaining to that level of maturity involves three key pillars of a scalable threat modeling practice.

1. Automation

If creating a single application threat model consumes 40 resource hours, then that one resource can – at most – theoretically create 50 threat models per year. However, the reality is that each threat model will need to be updated multiple times as the applications undergo numerous enhancements. Additionally, each threat model will need to be updated every time the company’s catalogue of threats is updated. While a single resource could theoretically complete up to 50 models per year, a more realistic estimate might be 20 – 30 unique models.

However, consider the effectiveness your security team could achieve if each personnel resource, rather than being able to complete only 20 – 30 unique application threat models could instead complete 150-250 unique threat models. Moreover, what if each of those unique threat models could be updated to match application revisions in just minutes rather than in days? And how much efficiency would your team gain if every time the threat catalog was updated, each threat model could be updated with the click of a button?

The ability to create 150-250 unique models per year per resource and to enable the development team to be an integral part of the threat modeling process can be achieved through the adaptation of a process flow diagram (PFD) based approach.

2. Integration

Most organizations have a mature SDLC process with various tools automating the development process at different stages. Tools like CMDB, Developer IDE, Bug Tracking, and established vulnerability and pen-testing procedures are already in use through the SDLC process. For threat modeling to scale, it has to integrate with these tools to provide seamless output to the development and security teams.

Scaling the threat modeling practice will drive the security process by identifying all the potential threats ahead of time, ideally during the design phase. The effectiveness of the practice will be validated by the scanning tools, ensuring that all the prioritized threats have been properly mitigated. Through integrating with the existing SDLC process and tools, the bottleneck at vulnerability scanning and remediation will be virtually eliminated.

True integration, though, is gained across the entire SDLC initiative only if the threat modeling practice is itself Agile. Then it may seamlessly be fit into the development team’s work and actually augment their sprint to vulnerability testing and production. And if your automated application threat model is PFD-based, integration with the development team is relatively easy to achieve.

3. Collaboration

In an organization, there are four key groups of stakeholders throughout the secure SDLC process who are responsible for building and using threat models:

  • Architects provide functional information about the application and high-level risk analysis;
  • Developers are responsible for implementing secure coding standards;
  • Security team identifies relevant threats and their appropriate mitigations, provide verification of mitigations, and manage identified vulnerabilities;
  • Senior executives assess the organizational threat profile relative to the ERM and prioritize the risk management measures.

When these stakeholders are enabled to collaborate synergistically, the entire threat modeling practice can scale organically to any number of required threat models the organization may require. In such an environment, developers and architects themselves build and update the threat models of the applications for which they are responsible. Security teams then can review and provide guidance to development teams as and when required. Development and security build on each other’s work, thereby reducing the time and effort required to build and maintain threat models significantly. By collaboratively involving multiple stakeholders in the threat modeling process, organizations are able to scale to the level of 1,000s of threat models annually.

Scalable Threat Modeling is a no brainer

A scalable threat modeling practice is critical for organizations seeking a secure SDLC practice within the constraints of their available resources. With scalability, the security personnel gain significant efficiency and momentum as they are increasingly freed to implement long-term security objectives. A scalable threat modeling process built upon the three pillars of automation, integration, and collaboration also creates significant payoffs for the architectural and development team as well as the senior executives. Scalability is a win-win across the entire organization.