NOTE: This is part two of a three-part series on making the business case for using commercial threat modeling tools. In part one, we put a dollar figure on the cost of a missed threat. In part two, we’ll put a dollar figure on the extra hours required to produce a threat model using free, open-source tools. We’ll do it for both 25 threat models and 100 threat models.
Time Savings Using Commercial Threat Modeling
According to research done at Carnegie Mellon University, “There are a number of threat modeling methods. Perhaps the most well-known and widely used is STRIDE, derived from six threat categories: Spoofing identity, Tampering with data, Repudiation, Information Disclosure, Denial of Service, and Elevation of privilege. However, using STRIDE for threat modeling requires an onerous and time-consuming application of checklists of potential threats to the components of the various systems and subsystems.”
Whether you’re using an open-source tool like Threat Dragon or you’re doing it yourself with spreadsheets, you’ll be building your threat models that require an “onerous and time-consuming application of checklists of potential threats.”
There are two ways commercial threat modeling tools can save you time compared to doing it yourself. The first is auto-discovery, which is applicable to cloud deployments. There are commercial tools, for cloud deployments, that literally produce one-click threat models. With one click, the tool maps your environment, builds a model, and produces all the threats and mitigations.
The second way commercial threat modeling tools can save you time is through the use of templates. Modern applications and systems are inherently built with oft-used, vetted components. As a result, most of the applications in an organization have overlapping features and functionality. Threat modeling efficiency can be gained from building and saving reusable snippets, which are portions of threat models corresponding to the frequently used application and system components saved as templates. New threat models can be built with substantial time and resource savings when the common features and functionality are drawn from a library of templates.
Because of these two time-saving opportunities, not only can commercial threat modeling tools save you time on your very first threat model, but time savings are amplified the more models you create due to taking advantage of templates.
Money Savings Using Commercial Threat Modeling
So, how do we translate this time savings into money savings? We know from experience how much time it takes to create a manual threat model, on average, compared to building one from a template or using auto-discovery. We use $75/hr., as a fair hourly rate for a senior engineer with enough experience to create their own threat models. The results are shown in the table below.
|Open Source||Commercial||Open Source||Commercial|
|No. of threat models||25||25||100||100|
|Ave build time (hr.)||60||2||60||2|
|Ave maintenance time (hr.)||32||4||32||4|
|Total $ to build||$112,500||$3,750||$450,000||$15,000|
|Total $ to maintain||$60,000||$7,500||$240,000||$30,000|
|Total labor $||$172,000||$11,250||$690,000||$45,000|
|TM tool $ (per/yr.)||$99,000||$249,000|
In other words, if you’re doing 100 threat models per year, using a commercial threat modeling tool can save you enough money to hire two additional full-time developers. That not only makes your applications more secure but makes your development time shorter too.
Commercial threat modeling tools help you to avoid overlooking threats, they save you money while you avoid overlooking those threats and they save you money by speeding up your development. In part three of the series, we’ll give you the ammunition you need to get your management to make the smart investment in commercial threat modeling tools.
By the way, you can learn more about automated threat modeling right here.