Purchasing a threat modeling tool can be intimidating. For starters, most people who need threat modeling aren’t threat modeling experts. To compound matters, there are even fewer people who keep up on threat modeling capabilities. What may have been considered state-of-the-art just a few years ago may be inadequate today.
In this article, we’ll highlight the three questions you should ask a threat modeling vendor if your goal is to evolve your development process from DevOps to DevSecOps.
How does it keep up with threats?
You probably don’t need to be told that in the world of cyber risk, things change fast. Too fast for most practitioners to keep up with on their own. That’s why programs like CVE® and CVSS, which are updated in near real-time, have been developed.
The Common Vulnerabilities and Exposures (CVE) system provides a reference method for publicly known information-security vulnerabilities and exposures. The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.
CVE and CVSS are ways for practitioners to stay up-to-the-minute with threats without having to do any of the research themselves. What is really powerful is when the information contained in the CVE and CVSS databases (and others like them) are embedded right into the threat modeling tool. That’s definitely something you should inquire about when doing your evaluation.
Which capabilities are automated?
Most applications today are deployed in the cloud. And if you’ve deployed an application in the cloud, then you know things change fast. VMs, containers, storage, and processing all come and go based on changing demand. Entire architectures can change during the course of a day. There’s just no way a threat model can be updated in response to these changes if it has to be done manually. What’s the answer? Automation.
In cloud deployments, you want to automate as much as possible and that includes updating your threat model. Ideally, you want a tool that can detect changes in the environment automatically and in real-time, and send alerts that include suggestions for remediation. And for it to be really effective, it should integrate seamlessly with the top cloud vendors. So, a follow-up question to ask is what cloud services does it support?
Does it do more than model threats?
Of course, you expect your threat modeling tool to model threats, but what else can it do? Modern threat modeling tools can do much more, but there are two capabilities in particular that prove to be very useful.
The first is compliance. Failure to comply with regulations can pose as much of a threat to your application as a hacker, especially from a financial standpoint. It would be nice if your threat modeling tool could also alert you to compliance “threats”.
The second is Infrastructure-as-Code (IaC). Most DevOps today is based on IaC. While it’s nice to detect threats after deployment, it’s even better to do so beforehand. Some modern threat modeling tools have the ability to identify threats in the code of IaC. If your deployment is based on IaC, this is a powerful capability.
Whenever you buy a new product, with which you are unfamiliar, you need to ask questions. The key to success is to ask the right questions. In this article, we gave you three suggestions for the “right” questions to ask a threat modeling vendor. The answers should provide you with quite an education.
If you are unsure whom you can turn to ask these questions, feel free to reach out to ThreatModeler. We’d be happy to contribute to your education.