More and more, companies are recognizing the importance of threat modeling. With all the cyber threats, and the increase in regulatory requirements, a formal threat modeling process is a must have for many companies today.
Once an organization gets onboard with threat modeling, the first thing most do is to survey the landscape of available threat modeling tools. That’s a good idea, as there are threat modeling tools available today that can automate some or most of the threat modeling process.
So, what are some things to look for if you’re in the market for a threat modeling tool? That depends heavily on what types of applications you need to threat model (and where they’re located). No matter what your use cases, there are a couple of features you should absolutely want to have in your threat modeling tool. The tool should be simple to use, and it should be scalable.
Simple Threat Modeling
There’s more security expertise needed today than there is security expertise available. That means often times the developers tasked with implementing threat modeling are not security experts (and consequently are not threat modeling experts). But they still have to do threat modeling.
The first thing to look for in a tool is if someone who is not a security expert can use it to develop effective threat models. One way to evaluate that is to ask, how much of the threat model does the developer have to provide and how much can the tool provide. Ideally, you’d like a tool that can provide a majority of the threat modeling information.
To create an effective threat model, you’ll have to create a threat diagram. With a simple threat modeling tool, creating that threat diagram should be easy and not require a lot of input from the user. Here are some features to look for in the tool:
- Does it come with a large library of components pre-installed?
- Does it offer “drag and drop” functionality?
- Does each component added to the diagram come with attributes, threats, requirements, mitigations, and test case?
- Does it come with pre-defined threat model templates?
Scalable Threat Modeling
If you only have to do a handful of threat models, then you don’t need a tool that’s scalable. But if you need to do hundreds (or thousands) of threat models, then scalability is essential. The last thing you want a developer to do is to have to start each threat model from scratch. That’s not scalable.
Here are some features to look for in a threat modeling tool that’s scalable:
- Can the developer and security expert collaborate on threat models?
- Does the tool support unlimited users at no additional cost?
- Does the tool integrate into the development environment with project management tools like JIRA and build tools like Jenkins?
- Do changes in the library get propagated to all the effected threat models automatically?
These are the types of features you’re going to want in a simple, scalable threat modeling tool. Now you may be asking yourself, does such a tool exist? And of course, the answer is yes, Threat Modeler.
ThreatModeler was designed from the start to be simple and scalable with all the features highlighted above and more. If you’d like to learn more about ThreatModeler, reach out to us here.