It’s easy to think of threat modeling as something developers do during the DevOps process to ensure a safe application. And that’s certainly true. To that end, threat modeling is something you do when developing an application. But that’s not the only time you should do threat modeling.
Threat modeling should be done whenever anything that can impact security changes. And since threat modeling occurs at the intersection of technology and business, it should be done whenever there’s a technology or business change that can impact security. And by technology change, we don’t just mean to your business.
Technology changes to your business
Technology changes to your business which should trigger a new threat model include front end changes, backend changes and everything in between.
Included in this category is migration to a new tech stack (e.g., AWS to Azure, web to mobile). Also, changes to the development framework or open source software (e.g., PHP to Django, Spring to Node). Inclusion of middleware should also be included (e.g., IAM framework, encryption scheme).
Technology changes to attackers’ business
Hackers also make technological leaps which should trigger a new threat modeling effort. A good example of this is when attack research becomes mainstream automation as in the case of Log4J. Specifically, Log4Shell was a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution.
One way to stay on top of changes in exploit technology is by way of the Common Vulnerabilities and Exposures (CVE) database, managed by Mitre and updated regularly. You can do it yourself or employ a threat modeling tool to do it for you.
One level abstracted from technology changes are business changes.
Examples of business changes that warrant a threat model include digitization of a physical business (e.g., mobile check deposit), enablement of a new product line (e.g., mortgage applications), and monetization of an asset (e.g., apps with rewards or subscriptions).
Changes in Business
One change that should trigger a new threat model, but is often overlooked, is a change in your business. A change as in a merger, an acquisition or a divestiture.
If your company acquires or merges with another organization, you most likely will benefit from a threat model, even if it’s only a one-time threat model.
You’re probably inheriting new tech stacks, development frameworks, open source software or middleware. You may also be taking on new digital products, product enablement or monetized assets. But it’s more than just those changes.
New companies often mean new polices and new regulations. Threat models can also be used to model threats to policy and compliance violations. Violations that can be just as detrimental to your organization as a data breach.
It’s important to understand the role threat modeling can play in organizations. Its scope is usually far wider than most imagine. Having a wider view of the need for threat modeling makes it more compelling to invest in a threat modeling tool.
With a tool you use once, it’s hard to justify the ROI. But a tool you use in every aspect of your business, any time there is a meaningful change, that’s a much easier case to make.
If you’re not sure where to start your search for a threat modeling tool with a terrific ROI, we suggest you look at ThreatModeler. ThreatModeler is more than a tool, it’s a platform that facilities collaboration and helps you address all the changes in your business.