VAST Threat Methodology
What Is VAST?
Short for Visual, Agile, and Simple Threat modeling, VAST is a threat modeling framework for detecting, categorizing, and prioritizing potential threats to and vulnerabilities of enterprise applications and IT systems. Based on agile DevOps principles, VAST enables scalable threat modeling across large enterprises and produces actionable outputs for security and DevOps teams.
VAST is distinguished from other threat modeling frameworks by its practicality, scalability, and ability to model application threats and operational threats in parallel. This allows developers to evaluate risks in the context of application architectures while empowering security teams to assess threats from an attacker’s perspective.
What Are the Elements of VAST?
VAST threat modeling practices include three pillars—automation, integration, and collaboration.
- Automation: Traditional threat modeling relies on repetitive manual processes, such as threat identification, analysis, and reporting, that require significant expertise and effort. In contrast, automation handles these tasks faster and more accurately, especially when managing complex systems and patterns. In addition, threat models can be updated automatically as new threats arise.
- Integration: Rather than approaching threat modeling as a one-and-done exercise, embedding modeling into development workflows ensures security remains front of mind even amid rapid development cycles. Combined with automation, VAST provides for ongoing assessments of new code, updates, and configurations, reducing rework.
- Collaboration: Traditional threat modeling leans heavily on dedicated security teams, creating silos and curtailing scalability. Aligning modeling with agile principles promotes collaboration and helps distribute responsibility among stakeholders. This reduces bottlenecks and democratizes secure-by-design practices so DevOps teams can adopt them seamlessly from design to production.
As new threats emerge, these pillars can support a sustainable self-service threat modeling practice integrated into software development workflows instead of being driven by security teams alone.
How Is VAST Implemented?
VAST follows the common threat modeling principles: mapping out the system or application, identifying and analyzing weaknesses and potential threats, and proposing corresponding security controls for each threat and risk. VAST builds on traditional threat modeling frameworks by incorporating greater simplicity and collaboration:
- Visual: Using process flow diagrams to depict architectures and interactions between components enables easier visualization of potential attack surfaces and weaknesses.
- Agile: Building iterative and continuous improvement principles into the software development lifecycle facilitates ongoing risk assessments and mitigation.
- Simple: VAST’s straightforward methodology encourages broad participation exercises by technical and non-technical stakeholders.
The VAST framework pairs simplicity with a dual-track approach to modeling application and operational threats using process flow and data flow diagrams. This doesn’t require extensive systems expertise, makes its modeling outputs easier for non-security stakeholders to use.
What Are the Benefits of the VAST Model?
The VAST methodology provides an enterprise-centric view of risks. It offers a visual approach and an ability to handle complexity for organizations that operate at scale with multiple teams and systems.
- Accessible to non-security professionals: Given the importance of diverse perspectives to a well-informed risk assessment, VAST’s visually intuitive threat modeling and mitigation approach is invaluable for fostering cross-functional collaboration.
- Scalability across application estates: In contrast to VAST, many threat modeling frameworks are too labor-intensive or rigid to allow anything more than a case-by-case adoption. This forces organizations to choose which applications to model and which to leave to chance.
- Robust and flexible modeling: VAST supports modern architectures and environments, from core to cloud, regardless of an organization’s structure and compliance requirements.
- Optimized for enterprise development lifecycles: VAST aligns with agile processes and CI/CD development pipelines to reduce bottlenecks, manual effort, and false positives.
What Are the Shortcomings of the VAST Model?
Because VAST was developed with scalability in mind, its capabilities may exceed the requirements of smaller organizations.
- Enterprise focus: VAST’s robust methodology is tailored for large, complex organizations. Smaller organizations may not need the complete VAST’s functionality.
- Tool dependency: As a next-generation methodology, VAST can leverage enterprise tools more than traditional threat modeling frameworks, particularly for automation and implementation.
- Less focus on business risk: Unlike some threat modeling frameworks (such as OCTAVE and PASTA, described below) that factor in broader organizational risks, VAST focuses on identifying operational and technical threats.
Other Threat Modeling Frameworks
VAST is one of a variety of threat modeling frameworks that are commonly used to identify and address potential vulnerabilities:
- OCTAVE: The Operationally Critical Threat, Asset, and Vulnerability Evaluation methodology focuses on quantitative risk weighting and organizational risks to protect assets. OCTAVE is a self-directed, customizable approach, but it leaves security strategy largely to internal IT teams and does not scale well.
- PASTA: The Process for Attack Simulation and Threat Analysis is a seven-step methodology for simulating attacks that combines an attacker-centric technical analysis with assessing and minimizing business risks and impacts. However, PASTA is complex and resource-intensive, inhibiting scaling and development agility.
- STRIDE: One of the first threat modeling frameworks, STRIDE was designed to help developers remember common security threats: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. STRIDE has many variants but remains restricted by its static framework and manual processes.
- Trike Threat Modeling: This open-source framework emphasizes stakeholder-defined risk, meaning that the assigned level of risk for each asset is acceptable to stakeholders. This approach requires a high level of expertise for its quantitative evaluations.
Factors to Consider with Threat Modeling Frameworks
In selecting a threat modeling framework (or frameworks), an organization should consider these questions, among others:
- Organizational goals: Is the objective to evaluate technical security or organizational risks? Is a qualitative assessment sufficient, or is a quantitative risk analysis called for?
- System complexity: How complex is the system in question—does it include multiple connected components or third-party integrations? Can the framework handle various levels of abstraction, from individual components to enterprise-wide systems?
- Resource availability: How much staff time is available for a cross-functional exercise? Is the expertise for the desired depth of analysis available in-house?
- Technology requirements: Does the framework play well with existing tools and workflows, including modern development methodologies? Are automated tools available to support and scale the framework by reducing the manual lift required?
In some cases, combinations of frameworks can lead to more thorough assessments. However, to produce stronger security postures, the chosen framework should offer practical benefits in integration and scalability.
VAST: A Scalable Enterprise Threat Modeling Framework
The VAST framework was created to address the shortcomings of data flow diagrams and manual threat modeling processes, bring threat modeling capabilities in-house, and make threat modeling scalable. Designed for automation and seamless integration into modern development environments, VAST is ideal for large organizations with complex, interconnected systems. Its ability to handle both application and operational threat modeling ensures comprehensive coverage, and its conceptual simplicity and visual approach to threat modeling make it easier for non-technical stakeholders to collaborate.
This practical approach is a key differentiator of the VAST methodology. ThreatModeler was founded on the same principle, leveraging VAST frameworks to scale threat modeling and provide actionable outputs that are seamlessly integrated within agile development workflows.