Imagine you’re a developer in the middle of your current two-week sprint. You’re under a lot of pressure and working long days when the application architect tells you that you need to threat model your design.
You may not have a lot of threat modeling experience. At that moment you probably see threat modeling as more of a hurdle to get over than a way of developing secure code. You’re probably thinking to yourself, what’s the easiest way to “check this box”?
When it comes to threat modeling an application, you have a lot of options, and some of them are as simple as answering a list of questions. And if your goal is to just check the box, that’s not a bad way to go. Of course, in the back of your mind you realize that’s not going to get you the most effective threat model or, consequently, the most secure application. What to do?
Threat Modeling Options
The basis of any threat model is the architecture diagram. There are architecture diagrams based on data flows and there are architecture diagrams based on process flows. Both have their strengths and weaknesses, but either way, if you want a threat model, you’re going to have to create an architecture diagram.
At its simplest, threat modeling is about creating an architecture diagram, then interrogating that diagram for vulnerabilities. So, developing threat models requires you to answer a list of questions. The key to effective threat modeling is when you answer those questions.
It’s tempting to not want to go through the mental exercise of creating your architecture diagram. It would be nice if you could just answer a list of questions and have some threat modeling software tool create the architecture diagram for you. And certainly, there are products available to do that, which sure makes for easy threat models. But does it make for effective threat models?
Effective Threat Modeling
Effective threat modeling is about details. In particular, the details in your architecture diagram. Each component in your diagram represents capabilities, vulnerabilities, security requirement, compliance requirements and more. It is getting to that level of detail that facilitates effective threat models.
The problem with having some software create the architecture diagram for you, based on a series of questions, is that the resulting diagram is too-high level, too general. Consequently, the component level details are missing.
The bad news? If you want to create effective threat models, and by consequence secure code, you need to start your threat modeling effort by creating the architecture diagram. The good news? There are software tools available today that do 80% of the work for you. In fact, at least one tool has a library of pre-designed threat model templates that takes most of the hassle out of creating architecture diagrams. Who makes such a tool? ThreatModeler.
ThreatModeler is as close to one-click threat modeling as there is. It’s based on the idea that to create an effective threat model, you must first create an architecture diagram, but creating that architecture diagram shouldn’t be difficult and shouldn’t require any particular security expertise.
If you’d like to learn more about ThreatModeler’s capabilities, you can contact us here.