Written by Laurent Dupont

Threat Modeling Playbook - Part 2 Embed Threat Modeling In Your Organization

Unveiling a successful threat modeling strategy hinges on garnering support from stakeholders and strategic resource distribution. In this series of blogs, we unravel the complexities of involving key participants, addressing their concerns, and showcasing potential benefits through our Threat Modeling Playbook. We explore various approaches to acquiring threat modeling proficiency, ranging from a self-initiated start to engaging experts or implementing comprehensive training programs. Importantly, we stress the significance of showcasing a return on investment by aligning recommendations with tangible security enhancements.

Threat modeling is a methodology to identify risks and hence should be integrated in your organization’s risk management process. As a best practice we look at the risk management process described in ISO27005:2018 and map our threat modeling activities on this process.

We visualized a simplified overview of the main stages, which are part of the risk management process in Figure 1. We can summarize the threat modeling activities in three categories:

Time of the people involved in creating the threat model.
Threat modeling expertise (especially if you are starting out).
Time, resources, and authority to address the resulting threats.

The risk management stages we consider for threat modeling are:

Context establishment
Communication
Risk assessment and treatment
Monitoring and review In each of these stages, we map related threat modeling activities. These threat modeling activities are grouped by people, process, or technology categories.

Figure 1: Threat Modeling in your organization – integration with the risk management process

Context establishment

First, you need to understand how your organization handles and manages risk. The same risk can have a totally different impact in different organizations. For threat modeling the following activities are important concerning context establishment:

Process:

Understand the current process: it is crucial to understand existing processes in your organization and how to integrate threat modeling in them.
Introduce application security risk levels: by using application security risk levels and deciding when to apply threat modeling you can focus on the most important applications first.
Define threat modeling methodology: there are many ways to define a threat model. You should select the methodology that fits your organization best.

Technology:

Identify current toolset: identify tools and technologies used in your organization. This will help to assess how to integrate threat modeling in the existing toolset.

Risk assessment and treatment

Secondly, you execute the threat modeling activity as part of the risk assessment stage. Here you follow the selected threat modeling methodology.

Process:

Perform and persist threat model: you create and store your threat model.

Technology:

Whiteboards and flipcharts for modeling: most threat modeling methodologies are easy to start on a whiteboard or flipchart.
Persisting models: tools and technology to store threat models.
Integration with DevOps tooling: when working in a development environment, integrating with the development tooling is highly recommended.
Use special threat modeling tooling: threat modeling tools exists that can support you to threat model.
Threat modeling as code: following infrastructure as code – threat modeling as code also exists and can have several benefits.

The identified risks should be handled according to the risk management policy/process in use in your organization. The first step is to consider different risk treatment options such as: risk reduction, risk retention, risk avoidance or risk transfer. Based on a cost / benefit calculation, you select your best options.

Monitoring & review

Thirdly, risks are not static and will change over time. Exposure of the vulnerability leading to the risk may change, sensitivity of the information in the application may change, a risk may not be remediated in time, and so on. Hence it is important that your risks and their factors are regularly monitored and reviewed. For threat modeling this consists of the following activities:

Process:

Follow up on threat model actions: action should be taken on findings that come out of a threat model.
Optimize methodology and risk calculation: to facilitate continuous improvement, you should monitor and optimize your threat modeling methodology.

Communication

Finally, communication is key when creating a threat model. It is not possible to create a proper threat model without collaboration.

People:

Identify stakeholders: different stakeholders you involve in creating a threat model.
Create a threat modeling specialist role: a threat model specialist role will facilitate threat modeling in your organization.
Train your people: security awareness is critically important. Threat modeling training is a must when you start with threat modeling.
Threat modeling culture: it is important to create a supporting culture for threat modeling.