Everyone involved in application development would rather prevent an incident than have to respond to one. The old adage, an ounce of prevention… really does apply.
That’s where threat modeling comes in. It’s one of the very best ounces of prevention available for developers. Threat modeling can be summed up as, think about all the things that can go wrong ahead of time and then mitigate them ahead of time. That’s precisely how you avoid incidents.
And as the cost of incidents continues to rise (up 15% since 2020), the question you have to ask is, why wouldn’t everyone want to avoid security incidents? Why wouldn’t everyone want to do threat modeling?
Why Not Threat Modeling?
We have some insights into why threat modeling adoption isn’t at or near 100% of the target market. From the Threat Modeling Tools Report 2023, we see four hurdles slowing down threat modeling adoption: 1) integration issues, 2) cost, 3) complexity and 4) lack of in-house expertise.
For the most part, integration is no longer an issue. There are threat modeling tools on the market today that integrate seamlessly into the DevOps pipeline.
The cost of a threat modeling tool is like the cost of insurance. It’s too expensive until you need it. The one thing we know for certain is that the cost of even the most expensive threat modeling tool is a fraction of the cost of an average data breach ($4.45 million in 2023 according to IBM).
This leave just two reasons for slow threat modeling adoption, which is really just one reason. It’s too complex to handle in-house.
Why Threat Modeling?
Why threat modeling? Because the market in which you’ll be able to sell hardware and software products without it is shrinking fast.
Making a medical device? You’re going to need a threat model to get it FDA approved. Manufacturing automobiles? You’re going to need a threat model. Selling to the U.S. government? Yes. Consumer devices with pre-loaded software? Yes.
Threat modeling is getting to the point now where not having a threat model is seen as a security gap. This directly contradicts the behavior of some manufacturers and service providers who perceive it to be optional. But as we’ve seen, the world in which threat modeling is optional is going away. And that’s the answer to why threat modeling?
The final hurdle to widespread threat modeling adoption is complexity. And while that still may be the perception amongst some, that also is no longer true.
There was a time when an accurate threat model did require in-house threat modeling expertise. Today? Just one click of a mouse by a seasoned developer.
Threat modeling tools on the market today can generate the necessary architectural diagrams, are based on industry best practices, and contain a massive database of threats and mitigations. And those databases are updated constantly. Even better, those diagrams and threats and mitigations can be generated automatically, with the click of a mouse.
Today’s threat modeling tools have made the complexity issue a non-issue. And that’s the answer to why threat modeling now.
If you’d like to learn more about a threat modeling tool that has made complexity a non-issue, check out ThreatModeler. It’s the first one-click threat modeling tool on the market. You can set up a live demo here.