Role and purpose of threat modeling in software development
Threat modeling and software development
Threat modeling is an exercise designed to identify the potential cybersecurity threats and attack surface of an application. By working through the threat modeling process, a development team can identify these cybersecurity threats and develop strategies for remediating them early in the software development process.
How can threat modeling improve application security posture?
Application security is all about minimizing the potential cybersecurity risk and threats to a particular application. In order to effectively protect against these potential threats, it is necessary to understand what they are.
Threat modeling helps to improve application security posture by helping developers to identify the potential threats and attack vectors for their applications. This information can then be incorporated into the design and implementation of these applications to decrease their exploitability and exposure to cybersecurity threats.
When is the best time in the software development life cycle (SDLC) to threat model?
As early as possible! The later that threat modeling is performed within the SDLC, the more time and effort has been spent on a potentially insecure design. Additionally, early threat modeling enables security to be intelligently built into the development schedule. This way, a development team doesn’t reach the end of the process only to identify potential issues and have to choose between meeting release deadlines and shipping a secure and functional product.
Performing threat modeling early in the process enables an organization to incorporate security requirements into the design and implementation process. This minimizes the amount of wasted work and enables security to be fully integrated into the application, making it far more effective than if it is “tacked on” at the end.
Aligning threat modeling to SDLC stages
While incorporating threat modeling into the early stages of the SDLC is a good idea, thinking about potential threats should not be limited to the planning stages. Threat modeling can and should be a part of every stage of the SDLC:
- Requirements: In the Requirements stage, the development team should perform a threat modeling exercise and identify potential risks and threats for the application. This threat modeling exercise should be used to inform the development of security requirements for the application (e.g., that the application should have feature X that protects against or mitigates threat Y).
- Design: During the Design stage, the results of the threat modeling process and the security requirements created should be incorporated into the design. Once the design is complete, performing another threat modeling exercise is a good idea to determine if the specific design of the application introduces any new potential attack vectors.
- Coding: While implementing the application, it is important to keep the security requirements in mind and develop the application to follow security best practices. This includes the use of secure libraries, following standard and best practices and so on.
- Testing: When developing and performing testing, tests against the security requirements should be created alongside those for application functionality and user experience. Additionally, it is best practice to subject an application to vulnerability scanning and penetration testing before release to help identify any potential vulnerabilities before it reaches production.
- Deployment: The details of how an application is deployed, including configuration settings, deployment environment, etc., can impact its security. Threat modeling should be performed at the Deployment stage of the SDLC as well to identify any of these potential risks and ensure that the application is deployed properly and securely.
How threat modeling supports a culture of DevSecOps
The goal of DevSecOps is to integrate security into every stage of the development life cycle. By “shifting security left” and considering it in every stage of the SDLC rather than just in testing, a development team improves application security and decreases cybersecurity risk.
Threat modeling is an essential part of DevSecOps because it informs the security design process. Without a clear understanding of the potential threats that an application can face — an understanding provided by threat modeling — it is much more difficult to design and implement defenses that can adequately protect against them.
The role of security champions in threat modeling
Threat modeling can be a difficult and time-consuming exercise. In the current, fast-paced development environment, it may be appealing to skip this step in the interest of releasing code more quickly.
This is why security champions are essential to threat modeling. Security champions ensure that this vital part of the development process is not overlooked or under-prioritized in favor of more rapid release cycles.
Integrating threat modeling into software development practices
As organizations make the shift from DevOps to DevSecOps, threat modeling becomes an essential component of the software development process. Attempting to design “secure” software and implement defenses against cyber threats without understanding what these threats are is an exercise in futility.
Threat modeling should be incorporated into every stage of the SLDC to ensure that threats are identified and managed from the initial design of software through the final release. While this may be time-consuming in the short term, “shifting security left” can dramatically decrease the cost of application security.
SDLC – Overview, Tutorialspoint
What is DevSecOps?, Red Hat
What Is Threat Modeling and How Does It Impact Application Security?, Security Intelligence