There is general consensus in the DevSecOps community that threat modeling is a good thing. The sooner in the application development cycle you find a threat the less it costs to fix, and there’s hardly any better way to “shift left” than with threat modeling.
So, why don’t more development teams enthusiastically dive into threat modeling? In this article we explore some of the common misconceptions surrounding threat modeling that may inadvertently be slowing adoption.
Misconception 1: Threat modeling requires threat modeling expertise
It certainly doesn’t hurt to have years of threat modeling experience creating process flow diagrams or data flow diagrams, but it’s no longer necessary.
It’s not feasible to expect developers to also be security mitigation experts. So, for a while, outside expertise was required to do in-house threat modeling. Today, most of the threat modeling expertise is built right into threat modeling tools making threat modeling is just one more part of a developer’s IDE.
Misconception 2: Threat modeling is a labor-intensive manual process
In the beginning, threat modeling diagrams were done by hand. Of course, those days are long gone.
Much of the heavy lifting in threat modeling today is done behind the scenes by sophisticated threat modeling tools. These threat modeling tools automatically visualize attack surfaces, mitigate security flaws and minimize threat drift. With the very best tools, threat modeling has almost become a one-click activity.
Misconception 3: Threat modeling is separate from the CI/CD pipeline
For a long time, threat modeling was viewed as something you “bolt on” to your CI/CD pipeline. It was an afterthought, something you did when you were done with development. But that too is no longer the case.
Today, threat modeling has been made to integrate right into the CI/CD pipeline turing DevOps into DevSecOps. It can also integrate with other tools and technologies like JIRA. Threat modeling is now a seamless part of the SDLC.
Misconception 4: Threat modeling doesn’t work in dynamic cloud environments
Actually, modern threat modeling tools work better in dynamic cloud environments.
Because modern threat modeling tools have been made to integrate with cloud service providers, they can respond in real-time to changes in the environment. Continuous cloud architecture monitoring is now available for those doing threat modeling.
Misconception 5: It’s too hard to stay up to date on the latest threats
If you had to stay up to day manually, it would be too hard, but you don’t have to. Threats today are cataloged in near real-time in publically available databases like CVE. The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures.
When the information contained in these databases is incorporated into the threat modeling process, staying up to date on the latest threats is easy and automatic.
Misconception 6: Each new threat model must start from scratch
In any area of technology, there’s almost no reason to start from scratch when someone has come before you and already solved the problem you need to solve. There’s no difference with threat modeling.
Today, threat modeling experience and best practices are captured in pre-build and vetted threat modeling templates you can use to jump start your threat model. This saves time and money and dramatically increases of deploying an effective threat model.
Misconception 7: You’re all alone when it comes to threat modeling
Even with the sophisticated threat modeling tools available, it would be nice to have a community of threat modeling practitioners to bounce ideas off of. Like Stack Overflow for developers, it would be nice to have a community to learn, share and build careers around threat modeling. The good news? Now there is.
ThreatModeler Community is community built for those who hope to use threat modeling in general, and ThreatModeler in particular, to increase their success using threat modeling. If you’d like to learn more about ThreatModeler or the ThreatModeler Community, reach out here. And don’t let any of these misconceptions keep you from doing threat modeling.
FAQs About Threat Modeling
What is the main benefit of incorporating threat modeling in the application development cycle?
The main benefit is identifying threats early in the development process, which significantly reduces the cost and effort to fix security issues.
Do developers need to be security mitigation experts to perform threat modeling?
No, with modern threat modeling tools, most of the expertise is built-in, making it a seamless part of a developer’s Integrated Development Environment (IDE).
Is threat modeling still a labor-intensive manual process?
No, sophisticated threat modeling tools automate much of the process, including visualizing attack surfaces, mitigating security flaws, and minimizing threat drift.
Can threat modeling be integrated into the CI/CD pipeline?
Yes, modern threat modeling tools are designed to integrate with the CI/CD pipeline, turning DevOps into DevSecOps and making it a seamless part of the Software Development Life Cycle (SDLC).
Are modern threat modeling tools effective in dynamic cloud environments?
Yes, modern tools work well in dynamic cloud environments and can integrate with cloud service providers, allowing real-time response to environmental changes and continuous cloud architecture monitoring.
How can developers stay up to date on the latest threats?
Threat modeling tools can incorporate information from publicly available databases like the Common Vulnerabilities and Exposures (CVE) system, making it easy and automatic to stay current on the latest threats.
Do new threat models always have to start from scratch?
No, developers can use pre-built and vetted threat modeling templates to save time and money while increasing the chances of deploying an effective threat model.
