We’ve reached the point where security decision makers have come to embrace the idea of threat modeling. The notion of finding and eliminating cyber vulnerabilities before they become cyber incidents is a pretty easy idea to get behind.
But just because decision makers have gotten on board with threat modeling, doesn’t mean they’ve made the investment in threat modeling tools. After all, to generate the main artifacts of threat modeling (i.e., data flow diagrams and process flow diagrams) does not require a tool. A practitioner with sufficient expertise and a whiteboard could produce these deliverables.
So, what is the justification for investing in a threat modeling tool? There are at least three.
There are plenty of threat modeling aids available. These include frameworks likes STRIDE, OWASP Top 10 and MITRE ATT&CK. There are also “tools”, like those from Microsoft, which aren’t much more than a digital whiteboard. All of these still require a practitioner to build the threat model manually. And in a virtualized world where infrastructures change constantly, that’s a problem.
The first justification for investing in a threat modeling tool is for automation. Automation includes, among other things, the ability to automatically build the threat model based on the existing environment. It also includes updating the threat model automatically and updating the threat database, all in real-time, in response to system and threat changes.
Why is it no longer feasible to manually keep threat models up-to-date? As Help Net Security points out, “Because technology moves faster than teams can keep pace and it’s not feasible for everyone to pick up new skills.”
Threats are no longer just limited to cybersecurity threats. It is now understood that failure to meet regulatory requirements is also a threat. And that’s another justification for investing in a threat modeling tool.
It’s one thing to ask developers and system architects to master the cybersecurity threat landscape. It’s another to ask them to master the regulatory landscape (in addition to cybersecurity). Most won’t even know where to start.
Developers and architects won’t think twice about investing in security tools like static and dynamic application security testing (SAST & DAST). But where can they turn for compliance tools? The answer is there aren’t many options available. One of the few options available to developing compliant applications is a properly equipped threat modeling tool.
No matter what software you buy or develop, you can bet it’s not on an island. Most likely it is interconnected to other internal and external applications over a network that may or may not be locked down. That’s known as the supply chain issue.
According to Help Net Security, “A company’s supply chain is like a body’s nervous system: a mesh of interconnected manufacturers, vendors, sub-contractors, service delivery firms, even coding and collaboration tools.” And as they rightly point out, “When one node of the interconnected enterprise is breached, the pain can spread thick and fast.”
The bottom line? It’s no longer good enough to threat model just your applications. You have to model your supply chain. And that’s a third reason to invest in a threat modeling tool. Because it makes it easy to threat model your entire ecosystem. You may not be able to pen test your supplier’s software, but you can threat model it.
There are at least three reasons to invest in a threat modeling tool. It automates threat modeling, it assists with regulatory compliance and it enables you to view threats all up and down your supply chain.
If you’re convinced it’s time to start shopping for a threat modeling tool but don’t know where to start, you may as well start with one of the best: ThreatModeler.