The evolution of threat modelling as a DevSecOps practice

Threat modelling is becoming ever more integrated into software architecture design. Here, Stephen de Vries of IriusRisk looks at the evolution of the process

Threat modelling is the process of visualising vulnerabilities in software from the design phase through the software development lifecycle. A relatively new software security practice, it has gathered significant traction over the past few years.

Historically, threat modelling was – literally – conducted by security professionals using whiteboards. Today, though, it’s becoming more integrated into software architecture design, with developers increasingly able to take it on in collaboration with the security team, complementing the DevSecOps model.

And it’s continuing to evolve. Open source threat modelling is arguably the next step, with tool agnosticism meaning it can be much more widely adopted.

The practice of examining the design of a software system to identify potential security problems, the ultimate purpose of threat modelling is to anticipate – and proactively address – how an attacker might compromise an application.

Fundamentally, it involves answering the following questions during the design phase. What are we building? What can go wrong? What are we going to do about it? And did we do a good job?

By finding vulnerabilities in this way early in the software development lifecycle, developers can build protections into the code from the start, thereby saving considerable time and money on tackling any security breaches that occur further down the line.

Any threat model built during this early stage should then be used to inform all downstream security activities, including implementation, testing and beyond. In many cases, however, the model is only used during the design phase, becoming less relevant as the project progresses.

Shift left

But, by embracing threat modelling, developers can build valuable relationships with their organisation’s security team. Such relationships are ever more important with security joining the “shift left” movement and becoming an increasingly essential part of the application build pipeline – development and security teams need to work closely together to create repeatable processes that result in secure software.

This, then, is DevSecOps, an extension of the DevOps model in which security has a seat at the table through every phase of the DevOps process. And, given that it’s inherently a collaborative activity involving the security and development teams, threat modelling closely lends itself to this model. In fact, the iterative nature of the threat modelling methodology fits the DevOps process well. Each time a new “plan” phase is reached, for instance, there is an opportunity for threat modelling. Then, with each new sprint or iteration, that threat model can be further reviewed and revised.

With its importance as part of the DevSecOps model now recognised, it’s likely that the evolution of threat modelling will soon see the practice becoming more widely adopted.

Accessible to all

At its most basic, threat modelling can be carried out by experts and engineers using a whiteboard.

Over time, though, software development has become increasingly about moving fast with a culture of continuous integration and deployment. This, coupled with development teams working on dozens – or even hundreds – of services simultaneously means the manual “whiteboard” method of threat modelling is largely untenable. It’s often not practical and it’s certainly not scalable.

Threat modelling has had to evolve to keep up with the pace and demands of software development. With security now a board-level priority for most organisations, it’s become a critical capability for business leaders. Indeed, it’s now recognised as critical software security practice. In the US, for example, the National Institute for Standards and Technology recommends that threat modelling is undertaken as part of its Recommended Minimum Standards for Vendor or Developer Verification of Code.

Until recently, threat modelling was still primarily the domain of an organisation’s security experts. Now though, the advent of open source tools – the next logical step in threat modelling’s evolution – means it is accessible to developers, too – essential as part of the DevSecOps model.

There are offerings currently available in the market which are designed to be used by security teams and developers, and contain templates, pre-defined databases of common threats and easy-to-use dashboards, as well as the ability to gather threat intelligence from open global libraries.

Threat modelling has come a long way from the manual whiteboard approach. Open source tools are set to transform the threat modelling process. By making it an increasingly simple and widely adopted practice, they will have a significant impact on secure design. As the delivery pipeline becomes faster and more complicated, and as the threat landscape continues to grow in its sophistication, the benefits of open source threat modelling tools in enabling an effective DevSecOps approach represent a huge step towards achieving true secure software design.

Stephen de Vries is co-founder and CEO of IriusRisk

Read more on Application security and coding requirements