Page 118 - Cyber Defense eMagazine September 2022
P. 118
also be done through integrated tools that run the process at scale, across teams and users. Automating
threat modeling means developers will be notified of the security gaps during the development process,
so changes can be made immediately, as opposed to retrospectively when the product is fully developed.
Threat modeling is an excellent engineering practice as it allows organisations to start security left,
building a product that’s secure by design to make the process from ideation to launch much smoother.
Developers aren’t always security experts, so by doing this they can learn to look for some of the
weaknesses that regularly appear in the design phase, which has a positive impact on the security culture
within an organisation.
Businesses that integrate threat modeling to their product development process have the potential to
obtain better quality software and reduce costs as well: fixing finished software is expensive, especially
if they have been in production for several years. Threat modeling is a way to identify technical debt that
you may not want to take on, as well as a way to identify risk.
Business benefits: Collaboration and team learning
As benefits become more obvious, a growing number of companies are adopting threat modeling as a
software development practice. It’s especially important for businesses that are growing fast, for whom
building a secure product is a top priority: companies don’t want to lose the secure culture they spent so
much time and effort creating.
Threat modeling as a practice also brings development and security teams together, enabling easy
collaboration. This type of collaboration – as opposed to security teams acting as a bottleneck to release
products after testing – has great advantages for cyber teams, but also for the product engineers
themselves. Security teams can’t consistently look at every piece of code that’s been written, which is
why empowering the development team is crucial to scale security practices. Threat modeling essentially
allows companies on a fast-growth journey to grow their security practices as they do, ensuring their
products remain secure by design.
Learning is a big aspect of collaboration through threat modeling and we see it very clearly in our clients.
Developers are not expected to be security champions, but there are great benefits from the security
team explaining retrospectively what worked and what didn’t. Once the mistake is understood, it can be
avoided. Multiply this by dozens or even hundreds of common security mistakes in the development
process, and a business can save massive amounts of time, money and resources by avoiding discovery
of these changes at a later stage.
However, this is where we find a challenge: developers don’t always want to invest in doing threat
modeling and be able to see the benefits. Developers aren’t always aware of the consequences of not
integrating threat modeling into the development process, or the benefits of doing so. The solution is to
make developer teams aware of the many benefits of thinking about security from the very beginning and
starting security left.
Cyber Defense eMagazine – September 2022 Edition 118
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.