top of page
nelsonjason1

Is Threat Modeling Tools or Process?

Tool vs process is a debate as old as time and we don't plan to end it with this short post. However, Necessary Security holds strong opinions on what works for threat modeling at scale and for regulated industry. This is just one of many articles to come to provide insight on current topics of threat modeling and tooling that we will comment on to add to the cannon of threat modeling discussion.


Two things that were raised this week that are interesting in the tooling space that made us think about tools. vs process.


AWS Threat Composer is a new tool just released. Developed by AWS Labs and designed to streamline and automate the process of threat modeling. This tool helps security professionals and developers identify and document potential security threats in their applications.

Key features of Threat Composer include:

  1. Integration with AWS Services: It leverages AWS security services and best practices, ensuring that threat models are aligned with the latest security standards.

  2. Automation: The tool can automate much of the discovery and documentation of threat modeling process, reducing the manual effort required and minimizing the chances of human error.

  3. Customizable Templates: It offers templates that can be tailored to specific application needs, allowing users to create detailed and relevant threat models quickly.

  4. Collaboration: The tool supports team collaboration, making it easier for different stakeholders to contribute to and refine the threat model.

By integrating Threat Composer into your security workflow, you can ensure a more comprehensive and efficient approach to identifying and mitigating potential security threats in your applications​ (GitHub)​​ (GitHub)​​ (GitHub)​.

For more detailed information, you can visit the Threat Composer GitHub page.


OWASP Cornucopia

Maybe a different type of tool but still a tool

OWASP Cornucopia is a card game designed to help software development teams identify security requirements in various development processes. It is platform and technology agnostic, making it versatile for different environments. The game references several OWASP and external resources, such as the OWASP Secure Coding Practices Checklist and the Mitre CAPEC. Cornucopia's source files and tools are available on GitHub, allowing users to build and customize their own decks. The project encourages contributions and offers guidance for setting up and maintaining the game. For more details, visit the OWASP Cornucopia GitHub page.

In addition to OWASP Cornucopia, several other threat modeling card games are available:

  1. Elevation of Privilege (EoP):

  • Developed by Microsoft, EoP is designed to help identify and address security threats based on the STRIDE threat modeling framework.

  1. Security Cards:

  • Created by the University of Washington, this game encourages creative thinking about potential security threats and how to mitigate them.

  1. Control-Alt-Hack:

  • A game by the University of Washington and Intel, it aims to educate players about computer security through engaging scenarios and characters.

To be fair, OWASP makes a threat modeling tool called OWASP Threat Dragon but it was already released befoe today so we are not commenting on it now.



Threat Modeling Tools vs. Process


Spoiler Alert: It is always process


In the context of threat modeling, both tools and processes are important, but the process generally holds more significance.

Here's why:

  1. Understanding and Framework: The process of threat modeling involves a structured approach to identifying, assessing, and addressing potential threats. This framework is crucial for ensuring that all aspects of security are considered, which tools alone cannot guarantee. In this context framework can be anything not specifically a single model (STRIDE/PASTA/MITRE) but the actual process you follow to identify threats and get the threats mitigated and tracked per your obligations to do so.

  2. Customization and Adaptability: The process can be tailored to the specific needs and contexts of different projects or organizations. While tools can assist, they often come with predefined settings and limitations that may not fit every scenario perfectly. There are many tools for different applications. Given I just referenced 3 tools in this post and there are many more means there is likely something for every use case and some may be be for all tools or any tools. A mature and scalable Threat Modeling program will make use of tools to create a standardization of user expirence, create a common format for defining threats, automating the process, and integrating with workflow, change management, and architecture, application patterns.

  3. Human Insight and Expertise: Effective threat modeling relies on the expertise and insights of security professionals who can interpret data, understand nuanced threats, and make informed decisions. Tools can provide data and automation but lack the critical thinking and contextual understanding that humans bring to the table. A great example of the state of tools in the industry is that they don't handle the full path of a threat. For example, applications will have a process entry point and it will flow to it's logical end. A basic threat is to eavesdrop on that connection if it is not encrypted. Tooling today will only interpret a single point in that chain and not each hand off between systems. Trust boundaries are another good example on how a person is needed to recognize this boundaries and create definition.

  4. Holistic Approach: The process encompasses various stages, including identifying assets, considering potential adversaries, modeling threats, and designing mitigations. Tools are typically used at specific stages within this broader process but do not cover the entire spectrum comprehensively. We will focus more on this topic to highlight the nature of some more mature tools in threat modeling that our more of the engine of many of the process steps and how companies should consider utilizing them from this perspective.

  5. Content: This is biggest weakness in all tooling today and yes even Wiz suffers from this. Everyone will point at CVE, MITRE, CWE, OWASP, etc... These are all good resources but they are not enough and often do not have a specific mitigation or solution that is specific to your organization. So even if your chosen tool makes a recommendation for mitigation it is like something like turn on encryption or don't have public access to data. The process you build will align the way mitigations are written to be effective and have behavior driven test cases written to demonstrate efficacy and aligned to corporate policy/standards or even better point to existing patterns as code in a repository.

  6. Continuous Improvement: The threat landscape is always evolving, and so must the threat modeling process. Continuous improvement and adaptation are integral to staying ahead of new and emerging threats. Tools need to be updated and adapted as part of this ongoing process, but the underlying methodologies and practices are what drive sustained security. This is important as a design decision. Your tooling should enable the process and not be the source of truth or even the storage location of your work. Leverage the same systems as your engineers and developers. This way you are using the same tools and speaking the same language as your intended audiences. When a tool needs an update or a new tool is selected your process can still operate and you have well defined requirements to assess the next tool to fit into your process.




Mechanical Arm tool
Mechanical Arm tool

Auto assembly plant
Assembly Process

While threat modeling tools are invaluable for automating and enhancing specific tasks within the threat modeling process, the overall effectiveness of threat modeling is largely dependent on a robust, adaptable, and comprehensive process. Thus, the process matters more, with tools serving as enablers within that process. There are many tasks, process, and artifacts that must be considered for a threat modeling process to be effective and integrated at a corporation. The process being designed to interact, co-exist, feed and consume from other process is the key to determining where, how, and why a tool can add value.


If your company is beginning the threat modeling journey or is looking to reach the next level of your threat modeling program please consider Necessary Security LLC., to provide that guidance with our Maturity Assessment and Advisory Services.


12 views0 comments

Comments


bottom of page