Toreon Office | Grotehondstraat 44 1/1 - 2018 Antwerpen | +32 3 369 33 96
Written by Sebastien Deleersnyder and Steven Wierckx
In today’s cybersecurity landscape, threat modeling has become an essential practice for organizations aiming to secure high-profile products. This article explores how integrating threat modeling with the OWASP Software Assurance Maturity Model (SAMM) can significantly enhance your product’s security, making it an attractive choice for major industry players.
Recently, a Toreon consulting client faced a critical challenge: a potential major customer demanded that their cloud-native product meet strict security and cyber standards. This included compliance with the U.S. Food and Drug Administration (FDA) guidelines for medical device security, which specifically recommend threat modeling as part of the premarket submission process for software as a medical device. Additionally, they needed to address requirements from regulations such as the General Data Protection Regulation (GDPR) for data privacy and the Cyber Resilience Act (CRA) for overall digital product security. These stringent requirements necessitated a comprehensive approach to ensure the product’s security posture aligned with industry-leading standards and regulatory expectations.
The solution? We leveraged threat modeling and OWASP SAMM to create a robust security framework.
Threat modeling is a proactive approach to identifying, assessing, and mitigating security and privacy risks and potential threats early in the development process.
Threat modeling is a crucial security analysis process, particularly during the software design stage. In an earlier blog post we outlined a simple four-step approach: first, create a data flow diagram of the application to understand its mechanics; second, identify threats using the STRIDE framework for threat analysis; third, mitigate vulnerabilities by reviewing security controls; and finally, validate the entire threat model to ensure all threats are addressed, that you cover the threat landscape, with any residual risks clearly tied to business impacts. This structured approach helps in systematically identifying and managing security risks in products.
Threat modeling offers significant cost-saving benefits by identifying vulnerabilities early in the development process. Addressing security issues during the design phase is substantially cheaper than fixing them post-release. This proactive approach also helps prioritize security efforts, ensuring efficient resource allocation. By reducing the likelihood of security breaches, threat modeling indirectly saves costs associated with incident response, legal liabilities, and potential reputational damage. Ultimately, investing in threat modeling upfront leads to long-term savings and a more secure product.
The OWASP Software Assurance Maturity Model (SAMM) provides a framework for organizations to build and improve their software security posture. It offers a measurable and actionable pathway to enhance security practices across various business functions.
You can learn more about OWASP SAMM at https://owaspsamm.org/.
To create a comprehensive security strategy, we’ve mapped threat modeling capabilities to OWASP SAMM.
This mapping, co-created by Sebastien Deleersnyder (a major contributor to the Threat Modeling Capabilities and the project leader for OWASP SAMM, together with Aram Hovsepyan, CEO at Codific, and also very active in the OWASP SAMM project) and his team, creates a clear, staged pathway for developing robust security practices within your security team.
The Threat Modeling Capabilities, outlined at the Thread Modeling Manifesto https://www.threatmodelingmanifesto.org/capabilities/, emphasize integrating threat modeling into the development lifecycle, continuous learning, collaborative creation, actionable follow-ups, effective communication, and using metrics for improvement. In the picture below you can see an overview of all the capabilities:
The detailed mapping of these capabilities to OWASP SAMM is available as a donation to the OWASP SAMM project. You can find it here: Threat Modeling Capabilities Mapping.
Let’s explore the key areas:
To successfully integrate threat modeling into your engineering process, follow these steps:
These steps are explained in our Threat Modeling Playbook, available at https://owasp.org/www-project-threat-modeling-playbook/. It provides comprehensive guidance on implementing and maturing threat modeling practices within an organization. We cover key aspects such as gaining stakeholder buy-in, embedding threat modeling in organizational processes, training people to perform threat modeling, strengthening threat modeling processes, and innovating with threat modeling technology. Our playbook emphasizes the importance of aligning threat modeling with existing risk management frameworks and integrating it seamlessly into the software development lifecycle.
Our Threat Modeling Playbook recommends a phased approach to implementation, beginning with stakeholder identification, establishing a threat modeling specialist role, and providing appropriate training. We offer guidance on selecting methodologies, performing and persisting threat models, and following up on identified risks and mitigations. The playbook also covers process optimization over time and the selection and integration of supporting tools and technologies. Additionally, we’ve mapped Threat Modeling Capabilities to different Playbook activities, enabling organizations to build these capabilities in a logical order aligned with their target maturity level.
By donating this comprehensive resource to the OWASP community, we aim to help organizations systematically enhance their threat modeling capabilities and improve the security of their systems and applications on a broader scale.
Sebastien unveiled the SAMM & Threat Modeling Capabilities during his presentation at Global AppSec in Lisbon in June (the recording is available at: https://www.youtube.com/watch?v=8KM_lqqV7Lc). One of the key topics we addressed was how to apply this mapping effectively for agile teams, where threat modeling needs to be swift and iterative.
We provided these essential tips for agile teams:
By establishing the fundamental capabilities (corresponding to maturity level 1 in SAMM) and organizing them according to our recommended playbook steps, we enabled our client to develop their cloud-native product while demonstrating compliance with stringent security and cyber standards. This approach ensures that threat modeling integrates seamlessly into agile workflows, enhancing security without compromising speed.
Integrating threat modeling capabilities with OWASP SAMM builds a robust security framework that addresses the concerns of even the most security-conscious clients. This approach enhances product security and positions it as a reliable choice in a competitive market.
Threat modeling fosters a proactive security culture, encouraging teams to think critically about potential vulnerabilities from the earliest stages of development. For agile teams, it proves that security and speed are not mutually exclusive, allowing organizations to maintain agility while improving their security posture.
As cyber threats evolve, threat modeling’s importance grows, especially in emerging technologies like IoT and cloud computing. Investing in this practice demonstrates a commitment to security that goes beyond surface-level measures, building trust with customers and stakeholders.
Organizations that embrace threat modeling as a core part of their DevOps process will be better equipped to face future cybersecurity challenges. They’ll adapt more quickly to new threats, leverage emerging security technologies more effectively, and maintain a competitive edge in an increasingly security-aware market.
By starting today and leveraging resources like our Threat Modeling Playbook, organizations can take significant strides towards building more secure, resilient, and trustworthy products.
