Threat Management Platforms


Threat Modeling Tools?

There are several tools available on the market that seek to make the technique of threat modeling much more streamlined. Each is geared towards use in different ways, and have their own unique characteristics and some shared traits.

In this post, we’ll take a look at some of the offerings available.

ThreatModeler?

ThreatModeler is offered as both a DevOps and Enterprise version. The Enterprise edition is hosted on cloud marketplaces like AWS. It features many of the standardised features of market leaders in this space, including integration (both native and through an API), threat intelligence databases and built-in compliance frameworks.

The USP of this tool however, are in its patented technologies, notably the “Accelerator” which will auto-build models for cloud environments, and the “Onboard Architect” which guides users on building secure cloud architecture. ThreatModeler also features “Threat Chaining” for sync of multiple nested models. We would define this tool as an “all-rounder”, ideal for those with the capacity to exploit threat modeling, and looking for a solution to deploy across the enterprise with relative ease.

IriusRisk?

Where ThreatModeler features all the bells and whistles to make securing architecture much easier, IriusRisk is more of a workman’s tool. It features the same standardised features you’d expect from leader tools, with integration and databases. However, it does not include advanced reporting features or auto-builders and instead is built more intuitively for use in DevSecOps. It has two-way sync with ALM tools and integrates with most DevOps tools, either natively or through an API.

IriusRisk will be the ideal choice for DevOps/DevSecOps teams looking to “pick-up-and-play” with a tool they already know they need, to streamline some of the threat modeling processes they already, or planning to, use.

CAIRIS?

Unlike our previous mentions, CAIRIS is not a commercial option. It is open-source. While it omits some of the standardised features of other offerings, it is unique in its approach.

CAIRIS models environments with contexts of use. It looks not just at system assets but human ones as well, including users, personas, tasks and goals. As such, it is able to take a more human-factors-oriented approach to threat and requirement management. Although there is greater difficulty in building models in CAIRIS, as it lacks the streamlining capabilities of our aforementioned alternatives, it’s potential for exploitation is much greater.

As the threat modeling processes can be visualled from different perspectives, it allows consideration of usability alongside security. CAIRIS users can manage their security, usability and design artifacts in one place. While there are many barriers that limit the use of CAIRIS, and it is less effective than existing commercial offerings at enabling general threat modeling, it may provide an ideal solution towards making digital design processes “Secure by Design”; owing to its ability to not trade-off usability for security.

Contact Information

Thanks for reading this far, if you have any questions or thoughts about this post, feel free to let me know at luke@netpaladin.co.uk.