If you haven’t kept up with the evolution of threat modeling, you probably envision threat modeling as simply a visualization tool or a framework like STRIDE. And while there was a time when this was the sum total of threat modeling capability, these are really just starting points today. Threat modeling has evolved way beyond just visualizing threats.
Threat Modeling’s Expanded Capabilities
Suppliers of threat modeling tools, in an effort to achieve wider industry adoption, have expanded threat modeling capabilities in three significant ways.
First, modern threat modeling tools eliminate the need to be a security expert. Developers need to create secure code, but few are security experts. When security intelligence is baked right in, threat modeling becomes just another tool that developers can use to make their job easier (and their code more secure).
Second, modern threat modeling tools are automated. The threat landscape changes too quickly for it to depend on any kind of manual process. This is especially true when it comes to threats and their mitigations. Today, those are updated in near real-time in the best threat modeling tools.
Third, modern threat modeling tools do more than just model threats.
Attack Surface and Compliance
First-generation threat modeling tools helped answer a single question: what? As in what can harm me? Today, threat modeling tools help answer many more questions. Questions like who can harm me? What can they harm? How can they harm it? What impact will that harm have? And so on.
Because applications have moved from centralized servers to cloud deployments, threat modeling tools have also evolved from simply AppSec to DevSecOps. They now address the entire attack surface rather than just the standalone application. This holistic view of threats means threat modeling now addresses application threats, cloud threats, and Infrastructure-as-Code (IaC) threats. And it addresses one additional threat: compliance.
Failure to meet regulatory compliance requirements poses as big a threat to some organizations as security vulnerabilities, at least from a financial standpoint. Regulatory fines can exceed the cost of recovering from a cyberattack. That’s why GRC (governance, risk, and compliance) is top of mind in most organizations today.
Regulations like HIPAA for software used in the medical industry, GDPR for software processing user data in the EU, and PCI-DSS for software dealing with credit card transactions, are all examples of regulations today’s applications may have to meet. And just like with security vulnerabilities, it can be difficult for developers to know whether or not their application is in compliance. And that’s why today’s very best threat modeling tools don’t just check for security threats, but regulatory compliance violations as well.
If you’re going to invest in a threat modeling tool, you may as well get one that automatically identifies, in real-time, all the security vulnerabilities and all the compliance vulnerabilities, as well as suggests mitigations.