Threat modeling actually goes back further than you might think. Depending on what you choose as the starting point for the first threat model, you can trace it back to the 70s, 80s or 90s. Regardless of the particular starting point, one thing is for sure. From that moment on, threat modeling has never stopped evolving or being reinvented.
What started out as a project conducted by expert consultants for on-premises physical hardware, has more or less evolved into a self-service process done by in-house engineers on virtual equipment in the cloud. And so this evolution and reinvention continues today.
Where We’ll See Change
There are six specific areas in which threat modeling is being reinvented today. They are discussed below.
1. Creating an inclusive security culture
As we’ve pointed out previously, it’s no longer sufficient to “just build threat models”. Today, most companies understand they must build an inclusive security culture. Security needs to start at the top and inform everything the organization does, not just DevOps.
Today, threat modeling is being reinvented to be the cornerstone of an inclusive security culture. It’s becoming more than just a tool. It’s becoming a way of visualizing a business as a series of risks that need to be mitigated.
2. Existing in a collaborative platform
Technology evolves too quickly for any one person, or even one group, to be expected to stay up on everything. It’s going to take a village to create a secure organization and that’s why threat modeling is being reinvented as a collaborative platform.
Business managers know what assets are valuable, while marketing may have better insights on who is accessing the system. These inputs may be crucial to an effective threat model. The bottom line is there must be inputs to threat modeling from all parts of the organization, not just DevOps.
3. Creating a repeatable process
This is true for all aspects of a growing business, not just threat modeling. That’s why every part of the threat modeling process is being reinvented to be a repeatable process. Nobody wants to start with a blank canvas every time.
The most modern threat modeling tools ensure that every task is repeatable. To that end, templates and frameworks are frequently leveraged to enable new threat models to be built on old, proven ones.
4. Being done faster
There’s always a need for speed and the way that’s being reinvented in threat modeling is by automating as much as possible. From drag-and-drop designs to one click cloud threat models, almost everything in threat modeling is being automated.
Here is a partial list of what has already been automated:
Threat models from code
Distribution of threat models
5. Threat modeling all applications and systems
As previously alluded to, threat modeling isn’t just for DevOps anymore. It’s being reinvented to address the entire organization. That includes all applications and all systems—especially those created by third-parties.
Given the interconnectedness of organizations and the widespread use of APIs (application program interfaces) for applications to communicate with each other, a threat to one system is a threat to them all. And since no one can be sure what threat modeling was done on other’s applications, it becomes imperative to do threat modeling on all of yours.
6. Integrating into the DevOps toolchainDevOps teams use a lot of tools today. There are tools for source code management like Git and tools for issue tracking like Jira. And the one thing these tools all have in common is they seamlessly integrate into the DevOps lifecycle. As so too it must be with threat modeling.
Modern threat modeling tools are being reinvented to integrate right into the CI/CD pipeline to become “just another tool” for engineers. A tool they use without giving it much thought, but has an oversized impact on the security of their work.
Threat modeling the tool and threat modeling the process are both constantly being reinvented with the same end goal in mind: more secure organizations. In this article, we covered six areas where the reinvention is happing right now.
If you’d like to learn about a modern threat modeling tool that already has many of these reinvented capabilities, check out ThreatModeler. We’d love to show you how it works.