There is general consensus in the DevSecOps community that threat modeling is a good thing. The sooner in the application development cycle you find a threat the less it costs to fix, and there’s hardly any better way to “shift left” than with threat modeling.
So, why don’t more development teams enthusiastically dive into threat modeling? In this article we explore some of the common misconceptions surrounding threat modeling that may inadvertently be slowing adoption.
Misconception 1: Threat modeling requires threat modeling expertise
It certainly doesn’t hurt to have years of threat modeling experience creating process flow diagrams or data flow diagrams, but it’s no longer necessary.
It’s not feasible to expect developers to also be security mitigation experts. So, for a while, outside expertise was required to do in-house threat modeling. Today, most of the threat modeling expertise is built right into threat modeling tools making threat modeling is just one more part of a developer’s IDE.
Misconception 2: Threat modeling is a labor-intensive manual process
In the beginning, threat modeling diagrams were done by hand. Of course, those days are long gone.
Much of the heavy lifting in threat modeling today is done behind the scenes by sophisticated threat modeling tools. These threat modeling tools automatically visualize attack surfaces, mitigate security flaws and minimize threat drift. With the very best tools, threat modeling has almost become a one-click activity.
Misconception 3: Threat modeling is separate from the CI/CD pipeline
For a long time, threat modeling was viewed as something you “bolt on” to your CI/CD pipeline. It was an afterthought, something you did when you were done with development. But that too is no longer the case.
Today, threat modeling has been made to integrate right into the CI/CD pipeline turing DevOps into DevSecOps. It can also integrate with other tools and technologies like JIRA. Threat modeling is now a seamless part of the SDLC.
Misconception 4: Threat modeling doesn’t work in dynamic cloud environments
Actually, modern threat modeling tools work better in dynamic cloud environments.
Because modern threat modeling tools have been made to integrate with cloud service providers, they can respond in real-time to changes in the environment. Continuous cloud architecture monitoring is now available for those doing threat modeling.
Misconception 5: It’s too hard to stay up to date on the latest threats
If you had to stay up to day manually, it would be too hard, but you don’t have to. Threats today are cataloged in near real-time in publically available databases like CVE. The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures.
When the information contained in these databases is incorporated into the threat modeling process, staying up to date on the latest threats is easy and automatic.
Misconception 6: Each new threat model must start from scratch
In any area of technology, there’s almost no reason to start from scratch when someone has come before you and already solved the problem you need to solve. There’s no difference with threat modeling.
Today, threat modeling experience and best practices are captured in pre-build and vetted threat modeling templates you can use to jump start your threat model. This saves time and money and dramatically increases of deploying an effective threat model.
Misconception 7: You’re all alone when it comes to threat modeling
Even with the sophisticated threat modeling tools available, it would be nice to have a community of threat modeling practitioners to bounce ideas off of. Like Stack Overflow for developers, it would be nice to have a community to learn, share and build careers around threat modeling. The good news? Now there is.
ThreatModeler Community is community built for those who hope to use threat modeling in general, and ThreatModeler in particular, to increase their success using threat modeling. If you’d like to learn more about ThreatModeler or the ThreatModeler Community, reach out here. And don’t let any of these misconceptions keep you from doing threat modeling.