Vanguard Report, April 2023
Continuous, Cloud-Centric Threat Modeling Enables the Ultimate ‘Shift Everywhere’ Required by DevSecOps
Beyond compliance, organizations are increasingly looking to threat modeling to produce more actionable context than the large quantity of tactical violations or “automatic” fixes that “guardrail tools” and security scanners produce. They need insights that drive decisions within the development process about whether developers are:
- Adhering to the “paved road” — cloud service providers’ “cloud security blueprints” or “secure design patterns” — plus the organization’s own secure design patterns and secure reference architectures.
- Promoting changes that expose new attack surfaces or weaknesses, or otherwise compromise valuable assets.
- Placing impactful security controls that materially reduce exposures and improve security posture.
Threat Modeling and Executive Order (EO) 14028
US President Joe Biden’s Executive Order (EO) 14028, issued May 12, 2021, forced this issue by requiring organizations that do business with the US government to incorporate threat modeling into their continuous DevSecOps delivery lifecycles. In order to be compliant with the associated regulations, enterprises need a continuous, cloud centric threat-modeling capability to govern the DevSecOps practices of each release. And while many regulations are open to interpretation on what “threat modeling” specifically entails, some aspects are certain. Compliance demands that organizations diagram their software, infrastructure and cloud use, and seek out design flaws that defect discovery tools cannot find.