Advances in Threat Modelling Saving Time and Money
Threat modelling was originally an ad-hoc process to identify threats during the Waterfall requirements phase. As a result, it was usually a one-time exercise carried out in the early stages of a development lifecycle. In addition, it required highly specialised subject-matter experts who knew software architecture and application security. As a result, organisations found threat modelling difficult to roll out because it was challenging to find qualified security professionals.
Agile, DevOps, CI/CD, and automation via the cloud have allowed software development to occur faster than years before. As a result, traditional threat modelling approaches have become too complex, time-consuming, costly, and inefficient.
Now, advances in threat modelling methodologies and tools to automate processes have allowed the method to gain momentum throughout the marketplace rapidly. In addition, good scalable threat modelling can provide compliance with security and regulatory laws and substantial, tangible cost benefits associated with developing secure applications and systems.
Scaling and automating threat modelling needs to be done because...
1. Security teams are usually small, and they usually have to address many concurrent active projects.
2. Agile and CI/CD/DevOps methodologies will result in high-volume planning and development activity, and cumbersome or poorly-thought-out threat model processes will be jettisoned.
A good threat model system will reduce data entry time and provide many ways to integrate with the underlying engineering and development workflows.