Part 1: Traditional Threat Modeling
Is threat modeling a blocker?
Is threat modeling a blocker for security in your organization when it should be an enabler? If it is, you’re not the only one. Traditional threat modeling is no longer meeting the needs for the modern development team that relies on speed and automation. How do organizations keep pace with the industry while growing their numbers?
To explore this, we’ve worked with standards communities, regulatory bodies, academic research, and some of the biggest companies in the world to develop an alternative perspective of how threat modeling can help drive security forward without creating a barricade. So is threat modeling a blocker? Yes.
But it doesn’t have to be.
Traditional threat modeling has blockers
We need to begin by looking at traditional threat modeling and pinpointing where slowdown occurs. No single model can account for every business case, so we see a large variety of them. At the same time, they each aim to accomplish a specific goal by either addressing a development phase, working with various levels of security expertise, or producing unique outputs. This kind of granularity works well when you need an assortment of tools to address a variety of factors—but when a company increases in size or doubles the projects that require threat modeling, it’s no longer a realistic strategy. At the end of the day, traditional threat modeling is slow.
Table 1. Threat modeling approaches and their defining characteristics.
Traditional threat modeling and slowdown
Each threat modeling approach has its strengths and weaknesses. Imagine how these approaches transfer to tens, hundreds, or thousands of projects. Through our conversations with large companies using threat modeling, we discovered that they preferred using data flow diagrams, checklists, and misuse cases for threat modeling. See the following table for a breakdown of their challenges and a summary of the resulting slowdown.
Table 2. Popular approaches to threat modeling create challenges in growing organizations that slow down development.
Re-enable threat modeling for today
Organizations today are still using threat modeling, but they need a better way to do it as they grow. Where do they start?
First, they need to seamlessly integrate threat modeling artifacts across the lifecycle. This means that threat modeling artifacts are well understood at each phase, and they don’t distract from the overall process flow, or the work of other teams.
Second, the threat model should be simple to generate. It should be scalable across fast-paced development environments with thousands of applications without requiring the consistent use of a limited pool of resources.
Finally, it needs to be easily understood across the software lifecycle. Anyone should be able to look at a threat modeling artifact in any phase of the development lifecycle and understand what it means.
To avoid slowdown, threat modeling should:
- Reduce the network effect
- Produce consistent output
- Include exception policies
- Ensure the latest security coverage
- Ensure that output reflects the entire system
- Assess importance realistically
- Reduce the discrepancy of threat modeling artifacts across the software lifecycle
How can we do this?
A lightweight approach to threat modeling
We’ve outlined how traditional threat modeling can slow down large and growing businesses. We need a way to update threat modeling to address contemporary challenges that require the flexibility and speed we see in DevSecOps. This is the lightweight approach we’re looking for.
To scale threat modeling across people, systems, and data, we need a way to deliver common artifacts across the software lifecycle without becoming excessive and monolithic. Instead, we want a lightweight representation of these elements that we can easily reformat as needed. This common artifact should be able to produce:
- Data sharing with lists
- Application taxonomies
- Traceable risk
If these sound familiar to you, it’s because we have already started doing this. How can we focus them for threat modeling?