If you’re intent on creating secure software, then eventually you’re going to have to evolve from DevOps to DevSecOps. But as InfoQ is quick to point out, “DevSecOps isn’t possible by going about normal day-to-day DevOps processes. You can’t tell team members to just be more mindful about security and expect better results.”
The first thing you’ll have to do is to adopt a DevSecOps philosophy, which requires integrating security into all stages of software delivery, not just at the end. The goal, after all, is to make security part of the development workflow.
Once all that’s in place, you’ll quickly realize you’re going to need some tools to help automate your DevSecOps. And as Palo Alto Networks notes, “The best DevSecOps tools should integrate with any CI/CD workflow to secure cloud infrastructure and applications early in development.”
One family of tools that meets all these requirements is threat modeling. The best tools integrate with any CI/CD workflow, they integrate into all stages of software delivery and they help automate security. There are three threat modeling tools in particular that together comprehensively fulfill the vision of DevSecOps.
Tool #1 – Threat Modeling
The first tool is the basic, automated threat modeling tool for all environments and applications, including mobile and IoT (Internet-of-Things).
Tool #1 can instantly visualize an application’s attack surface, mitigate security flaws, recommend security controls, and minimize threat drift during the software development lifecycle (SDLC).
Advanced threat modeling tools work automatically and continuously to detect design flaws. They may also come with built-in regulatory compliance frameworks to protect applications from regulatory violations. The very best threat modeling tools keep their threat intelligence current with constant research on emerging threats, compliance, and industry best practices.
Tool #2 – Cloud Modeling
Cloud modeling is the natural evolution of threat modeling for cloud-based applications. Today, cloud modeling is a threat modeling tool all its own.
Tool #2 automates cloud architecture and security control validation for public cloud service providers (CSP). It helps scale the threat modeling process across the entire CSP portfolio of microservices to generate a comprehensive attack surface analysis of the entire cloud footprint, along with relevant security controls.
Cloud modeling is also an essential capability in detecting and mitigating cloud-based threat drift. In the cloud, infrastructure changes quickly and continuously. It takes a tool like an automated cloud modeler, integrated into the cloud environment, to be able to keep up with those changes.
Tool #3 – Infrastructure-as-Code Analysis
The final tool in the threat modeling toolbox gives the ability to analyze Infrastructure-as-Code (IaC).
IaC was created to deploy cloud infrastructure automatically and continuously. And it’s turned out to be a great idea. But, if you wait until the infrastructure is deployed by the code to do threat modeling, it’s no longer DevSecOps. It’s more like the traditional approach to security: deploy then test (and pray).
For true DevSecOps, making security part of the development workflow, the infrastructure has to be threat modeled before it’s deployed. And since it’s the code that determines the infrastructure, the code is the thing that needs to be threat modeled. And that can only be accomplished through code analysis.
A good IaC analysis tool will plug right into the cloud environment, while still enabling developers to code in their IDE. It should identify design flaws and vulnerabilities, explain the issues presented and provide just-in-time contextual guidance for revision. And it should do it all continuously and on-the-fly.
If you’re committed to threat modeling in 2022 and want to do it comprehensively, then you’re going to need three different threat modeling capabilities. And if you’re not sure where to find them, you can start by looking at ThreatModeler.
ThreatModeler has all three capabilities available as separate tools: ThreatModeler, CloudModeler, and IaC Assist. If you’d like to learn more about one or all three of these tools, schedule a free demo here. We’d be happy to answer any of your questions.
