Threat Modelling and SDP (Secure Development Practices) - The whats and whys of Threat Modelling


Threat Modelling?

Threat modeling is a process by which we model a system environment and look at where vulnerabilities may exist. While there are many forms this can take, primarily Data-Flow Diagrams are used to highlight where relationships between system assets and attributes exist. We can then identify the vulnerabilities and risks between different end-points.

Using this technique within an SDLC can allow us to better manage tasks, workflow and validation. By undertaking threat management from a design-stage, we can help “bake in” security from the onset. This can allow us to mitigate the cost of addressing issues later in the pipeline and lends to project outputs that are “Secure by Design”.

Furthermore, because many ASRTM (Application Security Requirement and Threat Management) tools allow automation of some of the processes of threat modeling, their use is evermore adapting for agile methodologies.

Tarandach, Izar, and Matthew J. Coles’ “Threat Modeling” (O’Reilly Media, Inc, 2020) discusses this in detail. Chapter 4 in particular highlights the advantages of automated threat modeling; tools can reduce the costly activity of developing models by hand and can do the “leg work” in identifying system vulnerabilities, reducing the human burden of this technique.

Conclusively, threat modeling can be defined as an effective SDP. It allows security to be “baked in” from the design-stage, increasingly suits agile methodologies and reduces the cost addressing cyber risk. Beyond, tools in this space help to assess and meet both system and security requirements, providing further value for firms deploying the technique.

“The movement toward agile and DevOps methodologies will help highlight the value in automating security requirements and threat modeling tasks, and accelerate adoption over the next five years.” (Gardner and Catucci, 2020)

Limitations?

Threat modeling sounds great, but what are the limitations?

There are several reasons threat modeling is difficult: “It takes a rare and highly specialized talent” As technology and systems develop, weaknesses accelerate There are many options related to the ways in which findings are modeled There is difficulty in proving its value to stakeholders, specifically there can be a lack of clarity when it comes to collaboration It takes time and effort to create system models as nothing is ever static. (Tarandach and Coles, ch.4 para 9-14, 2020)

Although tools and vendors are making some headway on overcoming these barriers, the cost-benefit of deploying this SDP within an organisation may leave a lot to be desired. Firms without the existing capability to exploit threat modeling may consider the labour cost to enable it too great, before they even consider potential costs of ASTRM tool licenses.

Contact Information

Thanks for reading this far, if you have any questions or thoughts about this post, feel free to let me know at luke@netpaladin.co.uk.

References

Tarandach, Izar, and Matthew J. Coles. “Threat Modelling” O’Reilly, 2020. Gardner, Dale, and Frank Catucci. “Hype Cycle for Application Security 2020.” Gartner, Mark Horvath, July 2020.