In the dynamic world of application security, the concept of threat modeling should be at the heart of every AppSec program. Different organizations adopt diverse approaches to implement threat modeling, a decision that significantly influences the success of their quest for security. Striking a balance between voluntary and mandatory threat modeling requirements is key to achieving optimal results. Today, we delve into the voluntary-mandatory debate on threat modeling, exploring the Hybrid Approach—a transformative method that combines the best of both worlds.
Threat Modeling: A Crucial Decision
Threat modeling is more than just a technical process; it's a strategic choice that significantly impacts an organization's ability to uncover and mitigate threats – often before they happen. The decision is shaped by the existing engineering practices and organizational culture, making it essential to align the approach with your company's ethos to ensure a successful implementation.
According to a revealing LinkedIn poll I held a few months back, the majority of respondents lean towards a “voluntary but encouraged” approach to threat modeling. However, “Mandatory, and acts as a gate” has traction and with growth among threat modeling in organizations, I wonder if we see this continue to grow.
The Mandatory Approach: Where Security Takes Center Stage
In the mandatory approach, threat modeling becomes a non-negotiable gate for developers, preventing new features from moving into production until the threat modeling process is completed. The status of the threat model is closely monitored, and if it hasn't been uploaded or attached to a ticket, the feature cannot progress through the development pipeline.
Strengths of the Mandatory Approach:
Universally Applied: By making threat modeling mandatory for all features, the organization ensures a consistent security practice across the board.
Shared Responsibility: With every feature being threat modeled, the creation of models becomes a collaborative effort involving developers and adjacent product teams.
Weaknesses of the Mandatory Approach:
Compliance Concerns: Teams may view threat modeling as a mere compliance artifact, leading to minimal effort invested in the process.
Governance Challenges: The sheer volume of threat models can make governance and review processes more complex.
The Voluntary Approach: Encouraging Passionate Security Champions
On the other end of the spectrum lies the voluntary approach, where threat modeling is encouraged but doesn't serve as a blocker for new features. In this scenario, developers and product-adjacent individuals may emerge as security champions, already possessing a genuine passion and drive for security.
Strengths of the Voluntary Approach:
Enthusiastic Participation: Those who voluntarily engage in threat modeling are intrinsically motivated, leading to higher-quality threat models.
Emphasis on Quality: The voluntary effort put into threat modeling ensures more thoughtful and comprehensive models.
Weaknesses of the Voluntary Approach:
Incomplete Models: Crucial features might be overlooked, leading to potential security vulnerabilities slipping into production.
Design-Related Risks: Failure to address design-related issues could result in subsystem-level vulnerabilities, jeopardizing the entire system/application.
The Not-Doing Threat Modeling Dilemma
Surprisingly, 8% of respondents in the survey admitted to not conducting any threat modeling. Obviously, I believe this is a mistake. The value of threat modeling far outweighs the effort required. Building a culture where developers and adjacent teams understand and prioritize security offers nearly invaluable security protection.
Strengths of Not-Doing Threat Modeling:
Resource Efficiency: Skipping threat modeling might avoid disagreements between security and engineering teams over workload allocation.
Weaknesses of Not-Doing Threat Modeling:
Vulnerability Risks: The absence of threat modeling leaves room for design-related issues to turn into production vulnerabilities.
Subsystem Compromise: Overlooking design-related vulnerabilities, especially at the subsystem level, can lead to critical system/application compromise.
The Hybrid Approach: Bridging the Gap
The Hybrid Approach, as shared by Julie Davila, CTO, Federal at Sophos, in the poll, strikes a harmonious balance. Sophos implements an initially mandatory approach, making threat modeling mandatory for new code or integrations where necessary. To empower engineering teams, security champions triage and undertake "0 to 80" work at scale. The AppSec team actively participates in the first threat model, while subsequent updates are managed autonomously, with assistance available if needed. This shared responsibility model fosters a top-down endorsement of security practices.
Threat modeling with every code or infrastructure change isn't always feasible, according to Julie. However, updating threat models under specific conditions, such as new data flows, changes in infrastructure, and modifications to encryption, ensures ongoing security alignment.
The hybrid approach offers essential threat modeling controls for new features while avoiding burdening product teams with unnecessary busy work. At Devici we firmly believe that embracing the Hybrid Approach is the optimal way forward for your application security program.
By striking the perfect balance, you empower development teams, nurture a security-conscious culture, and build applications that stand resilient in an ever-changing threat landscape.