In the past, threat modeling has been done on a whiteboard as a collaboration between cybersecurity
            teams and developers. However, at a time when organizations are building thousands of applications,
            this manual process of identifying threats is becoming increasingly impractical.

            This is where automated threat modeling can make things easier. Developers can input the data of “what
            are we working on” into a tool, and then rely on automation to generate a threat model containing relevant
            threats (“what can go wrong”) and countermeasures (“what are we going to do about it”). Hence, reducing
            the time and effort for security teams so they do not have to start from scratch with every new piece of
            software.



            Implementing secure design in your organization

            For it to be effective, we need developers and software architects to engage with secure design and
            threat modeling. However, it is not as simple as asking developers to focus more on security because
            they do not always have the right skills or experience to be able to identify vulnerabilities. Most developers
            graduate without having learnt the technical knowledge needed to build secure software or how to threat
            model. Whilst they are highly skilled at developing the functionality of a web application, they are not
            always equipped to think about how threat actors would exploit security flaws in that functionality.

            As a result, in many organizations the onus falls on security teams to test software for vulnerabilities with
            security testing tools. The problem is they usually get involved once the software code has already been
            written. This is too late for designing secure software because the design flaws are already embedded at
            this stage.

            Instead security and developer teams must work together collaboratively from the very beginning of the
            software development process in order to develop software more efficiently and safely. Only then can
            software flaws be identified and mitigated before software is built.

            Unfortunately, we often see a lack of clarity over responsibility for security by design meaning that it can
            fall through the cracks. This is when senior leaders need to get involved to ensure threat modeling is
            prioritized as a strategically important activity. If the raft of rules and regulations coming out of government
            isn’t enough for senior leaders to take note, then nothing will be.



            A rapidly changing environment

            Within a year we have seen a vast amount of regulation and guidance around cybersecurity and how
            organizations can protect themselves against cyber attacks and threats. Not only in the US, but globally.

            Add into the mix the emergence of new technology, such as machine learning and artificial intelligence,
            which  is  already  having  a  significant  impact  on  the  cyber  threat  landscape  –  and  it  becomes  more
            important to ensure security is prioritized from the start of the development process.








            Cyber Defense eMagazine – March 2024 Edition                                                                                                                                                                                                          38
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.