Threat modeling is known as one of the most significant methodologies in the security of applications and the software development life cycle. A threat modeling tool helps security experts to identify potential threats and risks performed by attackers to protect a system’s infrastructure. Christopher Alexander presented the first concept of threat modeling in 1977 on the concept of architectural patterns. As a result, IT engineers began developing threat modeling concepts for information systems.
Microsoft documented the first threat modeling tool in 1999 applying the Schneier’s attach tree¹ to identify potential threats relevant to the Microsoft Windows infrastructure. Shortly after, new threat modeling methodologies were developed – OCTAVE, P.A.S.T.A, Trike and VAST. Threat modeling organizations started using a different approach to their threat modeling software. Microsoft’s threat modeling tool uses STRIDE, while ThreatModeler Software Inc. uses the VAST approach.
Due to incremented enterprise data breaches, it is a priority for organizations to invest in a threat modeling tool that protects the security of their systems. Although most threat modeling methodologies require a budget, free threat modeling tools – like Microsoft TMT – are on the rise. The word free is appealing for any IT professional looking for security solutions, however, free tools tend to lack anything other than basic functionality. If you are a business owner, think about it from an enterprise perspective and consider a threat modeling tool to be a long-term security investment.
It’s essential to understand that in the business world, if you can’t imagine owning a company for ten years, don’t even think about owning it for ten minutes. This principle applies when it comes to choosing a threat modeling tool for your organization. When protecting your organization’s security, it is better to be safe with the best software than to be sorry with a free exploit tool lacking operational, systematic and automated properties.
Some of the pitfalls of using a free threat modeling tool are:
- Limited built-in threat library and infrastructure components. Free threat modeling tools offer less than 100 threats as opposed to more than 500 threats offered by paid threat modeling methodologies.
- Lack of default diagramming components
- Failure to create specific security controls for components
- Incapability of importing threats from nested threat models
- Inability to generate specific security requirements and test cases to verify security requirements
Microsoft TMT (threat modeling tool) and OWASP’s Threat Dragon are the most popular threat modeling methods used. Although Microsoft is a popular free tool, its inability to perform in any computing environment other than Windows can be one of its greatest drawbacks.
ThreatModeler is an automated threat modeling solution that strengthens an enterprise’s SDLC by identifying, predicting and defining threats across all applications and devices in the operational IT stack. This automated platform works with all types of computing environments.
To learn more about how your organization can identify security threats during the SDLC for faster, smarter, more secure application production, contact us to speak with an application threat modeling expert today.
Sources:
¹ https://www.schneier.com/academic/archives/1999/12/attack_trees.html