As threat modeling becomes an integral part of application development, it is interesting to take a look back on its evolution. Here we see that its development represents a continuum from do-it-yourself to one-click threat modeling (almost).
Developed by two Microsoft engineers in the 1990s, STRIDE is not so much a threat modeling tool as it is a framework to use in preparing for threats. In that regard it is more strategic than tactical. Something to keep in mind as you create your threat model.
STRIDE is an acronym for six threat categories:
- Information disclosure
- Denial of service
- Elevation of privilege
STRIDE is at the far end of the do-it-yourself (DIY) threat modeling continuum. It provides guidance rather than assistance. And does little to actually help you create a model of your threats.
Microsoft Data Flow Diagrams (DFD)
As previously alluded to, threat modeling requires a threat model, or in threat modeling terms, a data flow diagram (DFD). It’s much easier to model threats if you can visualize how data flows through your system. This is where data flow diagramming comes in. It’s an essential first step to effective threat modeling.
Microsoft understood the importance of DFDs to threat modeling and consequently developed a tool to create them. From Microsoft, “Microsoft Threat Modeling Tool helps engineers create data-flow diagrams and apply STRIDE for their threat modeling work.” The diagramming tool is called Visio.
Strictly speaking, Visio is more of a diagramming tool than a threat modeling tool. It’s certainly preferable to using a whiteboard, but it has limited functionality. All the work must be done manually and it still requires a certain degree of expertise in threat analysis to make use of the DFD. Really, DFDs are just one part of threat modeling activities.
Building on the concept of the DFD, OWASP’s PASTA (process attack simulation & threat analysis) “is a complete methodology to perform application threat modeling.” PASTA is more than a just a framework or a diagramming tool—it’s more akin to a methodology.
“PASTA introduces a complete risk analysis and evaluation procedures that you can follow to evaluate the risk for each of the identified threat.” These PASTA procedures come with two philosophical improvements in threat modeling.
First, PASTA emphasizes identifying threat impacts earlier in the development process. Second, PASTA recognizes that risks are not binary (risky or not risky) and they need to be ranked. And while PASTA is a valuable process-based approach to threat modeling, it still requires that you have (or acquire) a specific expertise in threat analysis and mitigation.
As threat modeling evolves, increasingly people look for ways for developers to use it without having to be security experts. Ideally, you’d like as much of the expertise as possible to be “built in” to the tool or procedure or framework. And that’s where OWASP’s ASVA comes in.
ASVA—or application security verification standard—“provides a basis for testing web application technical security controls and also provides developers with a list of requirements for secure development.” ASVA is essentially a checklist replacement for STRIDE. And as a checklist, it’s less theoretical and more practical.
The expertise is embedded in the ASVA checklist. One of the objectives for ASVA is to continue to expand the checklist over time so it becomes more comprehensive. Theoretically, if you had a perfectly comprehensive checklist, you could create a very effective threat model.
AVSA is a better mouse trap for threat modeling, but it still has one shortcoming. It still requires manual checks on technical controls. In a perfect world, that would be done automatically to save time and potentially errors. And that’s where ThreatModeler comes in.
ThreatModeler, which is an enterprise-class threat modeling and collaboration tool, combines many of the aspects of the previous tools and does one other thing. It automates as much of the threat modeling process as possible. In that vein, today, it’s as close to one-click threat modeling as there is.
ThreatModeler automatically discovers cloud environments and monitors the environment for changes. It automatically generates the data flow diagrams and recommends mitigation controls. It also has the ability to automatically analyze infrastructure-as-code (IaC) in a DevOps pipeline for threats and recommends remediation.
ThreatModeler is just the latest outpost in the evolution of threat modeling, which will undoubtedly continue into the foreseeable future. To arrange a free demo of ThreatModeler, click here.