Nobody thinks modeling threats is a bad idea. And yet threat modeling isn’t broadly adopted in the development community yet. Why is that? According to Izar Tarandach and Matthew J. Coles in their book Threat Modeling, it’s because “convincing stakeholders that threat modeling is important can be difficult.”
As the two writers go on to explain, there are a lot of reasons for that including everyone being busy, not everyone understanding the system, and not all architects and coders having a complete understanding of what they’re working on.
But probably the most important reason is that threat modeling is hard. It takes highly specialized talent and there is a lot to know, which requires both a breadth and depth of knowledge and experience. So, the default position for many organizations—organizations that could really benefit from threat modeling—is to do nothing.
Automated Threat Modeling
If threat modeling had continued to be a manual activity, it would for all intents and purposes, be off limits for many companies. After all, threat modeling is hard (and getting harder) to do and very few companies can even find the expertise, let alone hire it.
To Cybersecurity Journal, “Owing to the increasing complexity in information technology (IT) architectures and the rapid increase of digital threats, it is difficult to maintain an up-to-date and comprehensive threat model of a given system.” That about sums up manual threat modeling.
But threat modeling has been automated. Tools are now commercially available that essentially do the threat modeling for you. You don’t need to find or hire the expertise, because it’s contained within the knowledge base of the tool itself.
More importantly, there are tools that do automated threat modeling in the cloud and there are tools that do automated threat modeling when that cloud infrastructure is built with code. And that’s important because software can get pushed to the cloud multiple times a day, each of which requires its own threat model. There’s just no way to do that manually.
The Case for Automated Threat Modeling
So, lack of expertise is no longer an obstacle to doing threat modeling and is therefore no longer an excuse. It simply becomes a return on investment business decision at this point. Will the cost of an automated threat modeling tool pay for itself?
Do a search and you’ll find a hundred articles that all say the same thing: software defects cost less when caught early. And that certainly applies to security threats in the application as well.
Trying to calculate the exact amount of money saved by detecting a threat early in the software development lifecycle (SDLC) is challenging. That’s due in part to the challenge of calculating the cost of successful exploitation of that threat. There’s the cost to patch the software. There may be regulatory fines. And of course, lost business. But that doesn’t mean you shouldn’t try.
Come up with an estimate for the total cost of successful exploitation of a threat to your application. Any way you can, don’t worry about accuracy. Then compare that to the cost of an automated threat modeling tool.
Not sure which one? How about ThreatModeler? ThreatModeler automates just about everything in threat modeling, so it’s a good place to start. We think that after you run all the numbers, you’ll see a strong case for automated threat modeling. Want to learn more? You can contact ThreatModeler here.