Companies are starting to recognize the value (and requirements) of doing threat models for their applications and cloud infrastructure. And yet adoption of threat modeling as an organization-wide practice may be lower than expected. Why is that?
To some extent, everyone is intimidated by doing threat modeling. If you’ve never done one, the concept can seem overwhelming, especially if you’re not a security expert. Where do you even start?
On the other hand, if you have done some threat modeling, you know exactly how much work it can be to create one starting from a “blank canvas”. Once again, it’s not something you look forward to doing.
And whether you’ve done threat modeling before or not, if you want to do threat modeling right, you’re going to have to diagram your system. Some threat models use data flow diagrams and some use process flow diagrams.
So, is there any easy way to do threat modeling and create your diagram? Yes, if you do one thing: never start from scratch. In other words, there’s no reason you have to start from a blank canvas.
Take Advantage of Existing Assets
No matter where you’re starting from, chances are you have some assets you can use as a starting point for your threat model. For instance, maybe you have a Visio diagram of your system. There are tools that can ingest the Visio file and generate a threat model diagram from it. At that point, you’re halfway there.
Maybe you’re building out your cloud deployment using infrastructure-as-code (IaC). If you want to threat model that, there are tools that can convert your code file (e.g., Terraform) into a threat model diagram behind the scenes, automatically.
Or maybe you’ve already built out your cloud deployment. There are actually tools now that can generate a threat model diagram from the live cloud environment without you having to do anything. Doesn’t get any easier than that.
What if you don’t have any existing assets? That’s okay too. Just use someone else’s threat model.
Use Someone Else’s Threat Model
When it comes to threat modeling, as the old saying goes, there’s no reason to re-invent the wheel. The chances are somebody, either inside or outside of your company, has already created a threat model similar to the one you need. Using one of those as a starting point is an easy way to create your threat model.
If there are already some existing threat models in your organization, find the one that is most similar to what you need and save it as a template. Then use that template as the starting point for your threat model. That will probably get you 50 – 80% of what you need.
If all else fails, find an existing threat model outside your company and use that as the starting point for you threat model. The truth is, only a handful of threat models cover about 90% of the use cases for applications and infrastructure. If you can find a repository of already-vetted threat models, you should be able to find one that is similar to the threat model you need. Starting that way beats staring at a blank canvas.
What are the tools that can do these things? Well, there’s one that can do them all: ThreatModeler. ThreatModeler can…
- Ingest diagrams and convert them to threat models
- Ingest IaC files and convert them to threat models
- Analyze a live cloud environment and automatically produce a threat model
- Let you save threat models as templates to reuse in the future
- Start your threat model with a pre-vetted threat model from Marketplace
That’s how you make threat modeling easy. To learn more about ThreatModeler, you can reach out here.