We like to say that to do it right, threat modeling cannot be a one-time project. It must be an ongoing process. In that same way, if you do it right, threat modeling won’t be a destination, it will be a journey. An evolutionary journey.

Whether you’re just getting started or you’ve been doing threat modeling for a while, it would be nice to know where you are in that journey, and more importantly, what you need to do to keep evolving.

In this article, we’ll briefly discuss the three stages of an evolving, self-service threat modeling practice. That will include the practices you’ll need to incorporate at each stage and the milestones you should expect to achieve.

Emerging Practice

When you first start out, you’re in the emerging stage. This is the getting up to speed stage. The practices that define this stage are implement, orient and train.

You’ll start by implementing the practice, which includes defining processes and procedures, and possibly implementing a threat modeling tool. Then you’ll want to orient and train those who will be part of the threat modeling practice.

There are three major milestones in the emerging stage:

  1. Formally define the practice
  2. On-board the participants
  3. Complete the initial implementation

It’s important to be present in the stage you’re at. That includes not trying to “jump ahead” to the next stage before you’re ready.

Growing Practice

The next stage is the growing stage. If there’s one word to describe this stage, it’s scale. Obviously, if you only need a handful of threat models, then you may never enter the growing stage. But if you’re like many organizations that need to create thousands or tens of thousands of threat models, scaling becomes essential, and that takes place in the growing stage.

Here you’ll define a reference architecture for your threat models and automate the “gates” in the process. Scaling requires automating, and the first thing to automate are the decision points (i.e., the gates) in the threat modeling process that enable a threat model to go from start to finish.

The major milestones in the growing stage are as follows:

  1. Scale to portfolio coverage
  2. Establish a secure reference architecture
  3. Implement automated governance gates in the SDLC

Maturing Practice

The maturing phase in threat modeling can best be described by the metaphor paved road. Paved road, a term originally coined at Netflix, is a way of describing an information security process with no bumps in the road. A path with “secure defaults”.

The emphasis in this stage is the maturation of the self-service process and the incorporation of threat intelligence into the threat modeling practice. The major milestones in the maturing stage are as follows:

  1. Establish and integrate threat intelligence into the threat modeling process
  2. Enable self-service threat modeling by developers
  3. Define the “paved road” SDLC which incorporates threat modeling

The maturing phase is where DevOps truly turns into DevSecOps.

No matter what stage you’re currently in, you can make the evolution easier with a threat modeling tool that automates steps in each stage of evolution. That tool is ThreatModeler.

ThreatModeler was imagined from the start with the idea that developers, with no special expertise in security, should be able to easily create threat models as part of their development efforts. To learn more about how ThreatModeler makes that happen, you can reach out here.