NOTE: This is part three of a three-part series on making the business case for using commercial threat modeling tools. In part one, we put a dollar figure on the cost of a missed threat. In part two, we put a dollar figure on the extra hours required to produce a threat model using free, open-source tools. In this article, we’ll discuss the high opportunity costs of using open source tools.

What are Opportunity Costs?

Opportunity costs are term economists use to try and put a dollar figure on what you missed out on. For instance, imagine you can make two investments. The first one would make you $1,000, and the second one would make you $2,000. Your accountant (and the IRS) will tell you the first investment represents a gain of $1,000 (on which you have to pay taxes).

Economists see it differently. They will tell you the first investment represents a loss of $1,000 because you missed out on the opportunity to make $2,000 with investment two. That $1,000 loss is your opportunity cost for choosing the first investment.

It works the same with business investments as it does with financial investments. What are the opportunity costs of using a tool that costs less but also does less? In other words, what are the opportunity costs of using open source threat modeling tools?

The Opportunity Cost of Open Source

If opportunity costs are what you miss out on, then the opportunity costs of using open source threat modeling tools are all the things you can’t do with them that you can do with commercial tools.

An example of an opportunity cost is actionable, real-time threat intelligence. Here, relevant threats (and associated security requirements, guidelines, etc.) are gathered automatically without human intervention. This is something you can do with commercial tools but will miss out on if you choose one of the open-source alternatives. And this is an actual opportunity cost because you also can’t practically produce real-time threat intelligence manually either. You either get it with a  commercial threat modeling tool, or you learn to do without it.

What are some other opportunity costs of using open source—the things you’ll miss out on? Here is just a partial list:

  • Seamless integration with SSO
  • Integration with AWS and the CI/CD pipeline
  • Near instantaneous analysis of live cloud environments
  • Automatically generate CloudFormation templates
  • One-click threat modeling
  • Chained threat models
  • A collaboration platform
  • The ability to score applications for risk-based governance controls
  • Continuous threat updates from MITRE CAPEC, WASC, OWASP, CSA, and NVD
  • Real-time threat publishing to a central library
  • Threat model versioning

Conclusion

Admittedly, putting an accurate dollar figure on these opportunity costs is a challenge. But maybe it’s not even necessary because any amount you place on them only makes a case for commercial threat modeling tools more compelling.

If you’re committed to developing secure applications and you view threat modeling as an essential step toward that goal, then we have presented some strong ammunition in this three-part series on why commercial threat modeling tools are a good investment.

What’s the old joke? If you think commercial threat modeling tools are expensive, try not using them. To learn how ThreatModeler more than pays for itself, reach out to us for a free demo. We’ll be happy to answer all of your questions.