Home Business framework Is next-generation threat modeling even about threats?

Is next-generation threat modeling even about threats?


The threat landscape is changing with technology, and as threats grow in sophistication, there are fears that major events like the Colonial Pipeline ransomware attack or the Equifax breach could be repeated elsewhere. While mainstream media focuses on operational cybersecurity, smart application firewalls, and other defensive and reactive solutions, the Verizon Data Breach 2021 investigative report suggests that insecure code and configuration in software is the root cause that needs to be addressed.

To address the challenges of developing and deploying insecure software, the industry is moving towards integrating security into the software development lifecycle (SDLC). Many experts attempt to use traditional threat modeling as the first line of business to manage security in the SDLC.

But what if everyone mismodels threats?

The industry standard for how we perform threat modeling today evolved from past meetings where security professionals huddled in a conference room and brainstormed potential threats that could affect their software. This laborious process often caused communication problems between security professionals and developers. The major flaw of this approach is that only the threats that security professionals thought about when developing their modeling platforms are addressed by their technology.

Threat modeling has changed over the years

With the development of DevSecOps, modern threat modeling is less focused on detailed analysis of complex threat scenarios. This may seem counterintuitive and you might think that a threat model with no threats will provide any information. But modern threat modeling through DevSecOps delivers superior results because threat prevention starts from scratch. DevSecOps and the philosophy of creating secure code from the start minimizes individual threats and how they manifest as vulnerabilities and focuses on prevention early in the software development process. In a sense, you eliminate vulnerabilities by leveraging secure design and programming good code from the start.

Plus, DevSecOps makes the process less stressful for everyone. In the early days of threat modeling, time-consuming and cascading threat modeling meant it was done on a limited scale and rarely kept up to date. This often led to developers skipping security planning and submitting code to the Application Security (AppSec) team to determine if it was secure enough. Then the security team would provide a long list of changes to make. Given their tight deadlines, few developers had the time to implement the AppSec team’s solid list of recommendations. Some companies didn’t have the resources to provide retroactive patches while working on new code. In this case, the best defense was to use traditional threat modeling to try to stop attackers looking to exploit these known vulnerabilities.

DevSecOps has become the gold standard for modeling new threats by proactively preventing threats from emerging. By making development teams own security, it supports a much stronger security framework than if security were the sole responsibility of understaffed AppSec teams. By proactively developing more secure code, standardizing the language, and modernizing the threat philosophy, organizations can dramatically improve their security posture.

Which begs the question: if modern threat modeling is not the same as traditional threat modeling, why call it “threat modeling”?

Adopting a modern threat modeling framework is essential

Although the methods have changed, the reason we need to model threats remains the same. Modern modeling still involves identifying and preventing threats, but more proactively. Focusing on DevSecOps, threat modeling aims to prevent problems at all levels rather than the in-vogue threat or vulnerability at any given time. It’s not possible to predict every new type of malware delivery pattern, but it is possible to eliminate the paths and vulnerabilities that malware might follow.

This situation will only become more precarious. With the rise of sophisticated IoT device hacks, cryptocurrency and blockchain scams, and phishing attacks, businesses have more threats to worry about than ever. To think that a handful of people could predict every method of attack is naïve. And while it seems counterintuitive, the best way to protect against modern threats is to not focus directly on the threats at all.

We must also consider that there are other topics related to risk management in software that do not fit into traditional application security models. Modern threat modeling should provide developers with a prioritized list of mitigations that should be implemented.

Using a modern, comprehensive, and automated threat modeling framework allows organizations to deploy their often limited resources so they can have the greatest impact. Building strong and secure code from the start can even prevent lost productivity by not requiring developers or AppSec teams to retroactively fix vulnerabilities. It will also prevent threat actors from establishing a beachhead to work from, regardless of their attack methods or techniques.

I think this modern threat modeling framework needs to become the new normal—quickly. No company wants to be known as “the next Equifax” or “the new colonial pipeline,” and no shareholder or stakeholder wants to be blindsided by the fact that a major systems breach has occurred due to poor modelization. Instead, companies should focus on DevSecOps, build secure code from the start, and use this platform to build a stronger, more modern foundation and approach to threat modeling.