Threat modeling in the age of automation
Cyber security threats are growing rapidly, leading companies building applications to take a closer look at precautionary-based security measures, including threat modeling, which has become essential to ensure that applications can withstand threats. future attacks.
However, a recent Security Compass study found that only 25% of organizations surveyed perform threat modeling during the early stages of software development (requirement gathering and design) before proceeding with application development.
Additionally, less than 10% said their organizations performed threat modeling on at least 90% of the applications they developed, and more than half of organizations faced challenges automating and integrating their threat modeling activities. threat.
“The traditional threat model takes time and often takes days to complete,” said Rohit Sethi, CEO of Security Compass. “The list of threats, countermeasures and schematic representation can quickly become obsolete given the pace of modern software development. “
In addition, the “STRIDE” method of determining threats is error-prone and can easily ignore scalable attacks, he added. This method does not incorporate the growing burden of regulatory compliance, such as data protection laws, which must also be factored into software design, he said.
“Perhaps more importantly, a good threat model requires security expertise that is scarce in almost any organization,” he noted. “This leads many organizations to focus threat modeling on a smaller number of important applications and create threat models without using them to inform a secure design, to perform modeling simply as a compliance exercise or to abandon completely the effort. “
Sethi said that if organizations are to truly meet the goals of their threat modeling initiatives, they need to balance the business needs of faster application development with the goals of risk management.
Automation of threat modeling
“Doing this efficiently, at scale, requires automation,” he explained. “Large parts of threat modeling can be automated.
For example, defining a list of well-known “threats” in software design does not necessarily require manual analysis; we already know that certain technologies, features and programming languages are susceptible to well-known software security weaknesses documented in MITER Identification of common weaknesses (CWE).
“It is possible to automate the binding of technical attributes of software to potential threats and corresponding countermeasures,” he said, adding that automation does not have to be expensive.
While robust business tools aren’t free, Sethi said Total Cost of Ownership (TCO) is significantly cheaper than the alternative of hiring more security professionals to do manual labor, forcing developers to devote valuable engineering cycles to safety flaws or the cost and distraction of dealing with regulators and lawsuits due to non-adherence to accepted industry best practices.
Sethi said organizations should also rely on threat modeling processes and tools to address the growing burden of regulatory compliance on software development, explaining that existing governance, risk and compliance programs (GRC) are just not optimized for software development.
He said it was instructive to review the successes of the United States Department of Defense, which recently pioneered the Continuing Operating Authority (ATO) as a model for how businesses incorporate secure processes by design linked to DevSecOps.
“We’re also seeing a trend in which organizations are looking to eliminate security concerns from software developers by seamlessly integrating appropriate controls into frameworks, containers, microservices, and other infrastructure components,” said Sethi.
This means tracking which controls are implemented at which component and ensuring that there are no material gaps; these will be a key benefit of threat modeling going forward.
More maturity, better knowledge of the situation
Chris Morales, CISO at Netenrich, said that while threat modeling has always been important, few organizations practice it because it takes a level of understanding of how attacks work and how they relate to the attack surface that few of individuals have the time or knowledge to perform.
“This has changed over time as security matures; more people understand attacks better, and we have adopted common taxonomies like MITER ATT & CK and advanced methods like Microsoft STRIDE, ”he said.
Morales highlighted how threat modeling has expanded to examine the entire attack surface of the company’s users, assets, and connections.
“It provides a quantitative method of managing risk by assessing how an organization would behave in the face of real threats before there is a problem,” he said, conceding that threat modeling is a process. that takes time.
“We need to move to operational models that allow a lightweight form of modeling to understand the current security posture against threats in nature actively targeting an organization’s resources,” said Morales.
This means automating as much as possible to enable constant output that provides situational awareness to all parts of the organization, not just the SecOps or DevOps team.