Threat Modeling Should Be A Team Sport

Pen-tester, Vulnerability Scanning, Risk Management, and Threat Modeling should be one commitment.

Pen-tester, Vulnerability Scanning, Risk Management, and Threat Modeling should be one commitment.

In 2020, a group of threat modeling practitioners, researchers, and authors wrote the Threat Modeling Manifesto. The manifesto contains values ​​and principles connected to the practice and adoption of threat modeling:

Threat modeling is the process of capturing, organizing, and analyzing this information. This is applied to software and risk identification elements. Typical threat modeling efforts also produce a prioritized list of security improvements to an application’s concept, requirements, design, or implementation.

Cybersecurity Live - Boston

Threat modeling is a structured method of assessing risks associated with a system or application. Developers must take time to understand what threats exist to their system. Once they know what threats exist, they must assess the impact of each threat and decide if any of them pose a high enough risk to warrant mitigation.

By analyzing each auditing method, each has common characteristics with other assessments.

They include:

  1. Form a team. This team should include all stakeholders, including business owners, developers, network architects, security experts, and C-level execs.
  2. Establish the scope. Define and describe what the model covers. Create an inventory of all components and data and map them to architecture.
  3. Determine likely threats. Create what-if exercise builds and threat scenarios, including the threat or attack trees, to identify possible vulnerabilities or weaknesses.
  4. Rank each threat. Determine the level of risk each threat poses and rank them to prioritize risk mitigation.
  5. Implement mitigations. Decide how to mitigate each threat or reduce the risk.
  6. Document results. Document all findings and actions so future changes to the application, threat landscape, and operating environment are assessed and the threat model updated.

Threat modeling teams that test applications and platforms use similar techniques as pen testers. Threat modeling is usually carried out by internal AppDev, DevOps, and SecOps teams. Pen testers, however, are typically a 3rd party external with the expertise for ethical hacking engagement.

The 1st level of engagement could include collaboration across the threat modeling team and the pen testers achieved in the same agile sprints. While selecting the team for the threat modeling, defining the scope, and documenting the expected threats, a 3rd party white-hat pen tester could be a team member. White-hat pen engagements often involve the AppDev and pen tester working together to determine a full scope engagement. The white-pen tester customarily granted access to usernames and passwords, IP addresses of the targeting hosts, and the expectation of testing criteria. Forming a collaboration between a white-hat 3rd pen tester and the internal threat modeling team would produce a complete 360-degree view. Without a partnership, threat modeling results would be based solely on internal resource knowledge.

The 2nd level of engagement would be a collaboration between a black-hat pen tester and a threat modeling team. The black-hat tester would have no prior knowledge of the application or platform within this collaboration commitment. SecOps would be the internal sponsor of this engagement, not AppDev, DevOps, and NetOps.

Threat modeling is best applied continuously throughout a software development project. The process is essentially the same at different levels of abstraction, although the information gets more and more granular throughout the lifecycle. Ideally, a high-level threat model should be defined early in the concept or planning phase and then refined throughout the lifecycle.

Updating threat collaboration models is advisable after events such as:

  • The App Dev team released a new feature
  • Security incident occurs
  • Architectural or infrastructure changes

This threat modeling pen-testing collaboration workstream should be added as a business operational function with every application or variance of a platform.

In the spirit of the DevOps movement, risk management, pen-testing, and vulnerability scanning should be considered a “sprint” within the agile security model supporting threat modeling engagements. Small to mid-size enterprise organizations could save money while gaining greater insight into their environment by executing these audits into a unified project instead of silo (waterfall) work cycles. The true benefactor of this new model would be the risk management team. By pulling together outputs from these “sprints” into a centralized contextual risk scoring methodology, organizations will better assess the environment by cross-correlation data sources from pen-testing, scanning, and IT audit control reviews.

Leave a Comment