RL Blog

Topics

All Blog PostsAppSec & Supply Chain SecurityDev & DevSecOpsProducts & TechnologySecurity OperationsThreat Research

Follow us

XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBluesky

Subscribe

Get the best of RL Blog delivered to your in-box weekly. Stay up to date on key trends, analysis and best practices across threat intelligence and software supply chain security.

ReversingLabs: The More Powerful, Cost-Effective Alternative to VirusTotalSee Why
Skip to main content
Contact UsSupportLoginBlogCommunity
reversinglabsReversingLabs: Home
Solutions
Secure Software OnboardingSecure Build & ReleaseProtect Virtual MachinesIntegrate Safe Open SourceGo Beyond the SBOM
Increase Email Threat ResilienceDetect Malware in File Shares & StorageAdvanced Malware Analysis SuiteICAP Enabled Solutions
Scalable File AnalysisHigh-Fidelity Threat IntelligenceCurated Ransomware FeedAutomate Malware Analysis Workflows
Products & Technology
Spectra Assure®Software Supply Chain SecuritySpectra DetectHigh-Speed, High-Volume, Large File AnalysisSpectra AnalyzeIn-Depth Malware Analysis & Hunting for the SOCSpectra IntelligenceAuthoritative Reputation Data & Intelligence
Spectra CoreIntegrations
Industry
Energy & UtilitiesFinanceHealthcareHigh TechPublic Sector
Partners
Become a PartnerValue-Added PartnersTechnology PartnersMarketplacesOEM Partners
Alliances
Resources
BlogContent LibraryCybersecurity GlossaryConversingLabs PodcastEvents & WebinarsLearning with ReversingLabsWeekly Insights Newsletter
Customer StoriesDemo VideosDocumentationOpenSource YARA Rules
Company
About UsLeadershipCareersSeries B Investment
EventsRL at RSAC
Press ReleasesIn the News
Pricing
Software Supply Chain SecurityMalware Analysis and Threat Hunting
Request a demo
Menu

Spectra Assure Free Trial

Get your 14-day free trial of Spectra Assure for Software Supply Chain Security

Get Free TrialMore about Spectra Assure Free Trial
Blog
Events
About Us
Webinars
In the News
Careers
Demo Videos
Cybersecurity Glossary
Contact Us
reversinglabsReversingLabs: Home
Privacy PolicyCookiesImpressum
All rights reserved ReversingLabs © 2026
XX / TwitterLinkedInLinkedInFacebookFacebookInstagramInstagramYouTubeYouTubeblueskyBlueskyRSSRSS
Back to Top
AppSec & Supply Chain SecurityMay 16, 2024

When it comes to threat modeling, not all threats are created equal

With inherent threats, which are core to the system being modeled, protective measures cannot be perfect or complete. Here's how to best manage that.

John P. Mello Jr.
John P. Mello Jr., Freelance technology writer.John P. Mello Jr.
FacebookFacebookXX / TwitterLinkedInLinkedInblueskyBlueskyEmail Us
scrabble tiles spelling out threats

One fundamental principle every threat modeler learns very early in their career is that not all threats are created equal. Some threats can be fixed more easily than others. Among the threats most difficult to fix — if they can be fixed at all — are inherent threats, which are threats that touch the essence of a system.

Threat modeler Adam Shostack explained in a recent whitepaper that when a threat is tied directly to a system, protective measures cannot be perfect or complete — and understanding those tradeoffs influences threat modeling in two important ways: "First," he said, "it informs more in-depth threat modeling as we struggle to specify answers to 'What are we going to do about it?' Second, it helps us consider inherent threats when we scale threat modeling across hundreds or thousands of systems so we can prioritize what gets attention first."

Nataliya Shevchenko, a senior member of the technical staff in the CERT division at Carnegie Mellon University's Software Engineering Institute, said inherent threats are introduced by flaws or necessities in the design or processes of a system, which makes them the hardest and most expensive to mitigate, especially if identified late in the system engineering lifecycle.

Early performance of threat modeling, ideally during the conceptual phase of system design, provides an opportunity to identify inherent threats before system construction or key decisions are finalized. This proactive approach enables the organization to address the flaw that creates the possibility of inherent threats or develop a mitigation to minimize the risk it introduces.

Nataliya Shevchenko

Subsequent iterations of threat modeling should occur whenever alterations are made to the system's architecture, or processes, spanning all levels of abstraction from conceptual to physical implementations, she added.

Here are key takeaways from the Shostack + Associates whitepaper — along with insights from top threat modeling subject matter experts.

See Webinar: Threat Modeling and Supply Chain Security: Why It Matters More Than Ever

Building custom libraries will pay off

Inherent risks will be addressed via early detection and response or by risk acceptance and transfer, Shostack said. "If you find threats that will lock in design choices or create compatibility problems to fix, addressing them soon and even delaying a release will pay off," he wrote.

Chunyi Peng, an associate professor of computer science at Purdue University, said that identifying inherent threats can directly help organizations become aware of possible threats — and thus take actions to avoid such risks. That was the case in research cited by Peng.

We investigated inherent threats in 911 services on 5G/4G networks. While these inherent threats have not been exploited as real attacks against 5G/4G networks and 911 services, our study was able to help standards makers and operators realize possible risks and make decisions with a good tradeoff between usability and security.

Chunyi Peng

There is no 100% secure system, Peng added. That implies that it is impossible to mitigate all risks. Inherent threats are often those that are feasible but occur in an unanticipated way. "As usability is often more important than security in many cases, inherent threats are inevitable when well-established security protection is not fully performed or complex operations are partially checked in field trials," she said.

Chris Romeo, CEO of the threat modeling company Devici, said that categorizing, triaging, and mitigating inherent threats are crucial because such threats contain hidden organizational risks. Understanding inherent risks helps with threat modeling because it builds a custom threat library specific to your organization and environment, he said. Not all companies have the same risk profile, so their threat landscape differs. "The custom threat library lets you focus on the most crucial items in your world that will cause you the most reputational or monetary damage," Romeo said.

When applying the custom threat library to your application inventory, you now have specific items backed by the security and privacy teams, thinking deeply about the real threats to the things you build. This will result in less pushback from development teams when asked to perform threat modeling because they have traceability between threat/risk and real-world challenges.

Chris Romeo

CERT's Shevchenko said that identifying inherent threats allows organizations to understand the potential risks based on their objectives and business operations. "By addressing the most critical risks, organizations can prioritize their resource allocation," she said.

Scale your threat modeling the smart way

Understanding if a threat is inherent to a system is tremendously clarifying, Shostack said. "It informs how we address that threat," he wrote in the whitepaper.

It shows us where residual risk is unavoidable. It dictates our choices of how to balance protection, detection, and response. Last, but certainly not least, it enables us to scale threat modeling across the enormous application inventories that companies develop as they grow.

Adam Shostack

Shevchenko explained how the discovery of inherent threats can help scale threat modeling across an organization, and she noted how applications developed within the same organization typically share architecture, platforms, and processes. When threat modeling is conducted on these shared resources and inherent threats are pinpointed, they become relevant to all applications utilizing those resources, she said

This eliminates the necessity for conducting exhaustive threat modeling rounds for each individual application, Shevchenko said. "Instead, the focus can be directed toward examining unique processes and architectural components. Therefore, by addressing or mitigating common inherent threats, protection is extended to all applications leveraging those resources."

Callie Guenther, a cyberthreat research senior manager at Critical Start, said that in today's digital landscape, recognizing inherent threats to our systems is more than just a precaution — "it's a necessity." Understanding these threats allows us to model potential risks accurately, discerning between those that are fundamental to the technology and those we can actually mitigate. "This knowledge not only guides us in making savvy decisions about which risks we can tolerate but also ensures that our resources are pointedly directed toward safeguarding critical aspects of our infrastructure," she said.

Make it a feature and not a bug of your approach

Additionally, the inherent risks that emerge from necessary trade-offs — such as the balance between functionality and security — require us to think strategically about implementing effective controls without stifling essential features, Guenther said.

As we scale our threat modeling efforts across vast application inventories, this understanding prioritizes our focus, helping us to fortify our systems proactively rather than reactively. This proactive stance is not just about defending against threats. It's about creating a resilient framework that supports sustainable growth and innovation.

Callie Guenther

Keep learning

  • Get up to speed on the state of software security with RL's Software Supply Chain Security Report 2026. Plus: See the the webinar to discussing the findings.
  • Learn why binary analysis is a must-have in the Gartner® CISO Playbook for Commercial Software Supply Chain Security.
  • Take action on securing AI/ML with our report: AI Is the Supply Chain. Plus: See RL's research on nullifAI and watch how RL discovered the novel threat.
  • Get the report: Go Beyond the SBOM. Plus: See the CycloneDX xBOM webinar.

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

Tags:AppSec & Supply Chain Security

More Blog Posts

Trust model flips

How agentic AI flips the trust model

As AppSec shifts focus from the components to data, your strategy needs updating. Are you on top of your trust debt?

Learn More about How agentic AI flips the trust model
How agentic AI flips the trust model
MCP attacks

MCP rug-pull attack worries mount

This new class of AI tool supply chain attack highlights how trust of agents can be exploited.

Learn More about MCP rug-pull attack worries mount
MCP rug-pull attack worries mount
AI coding racing

Can AppSec keep pace with AI coding?

AI lets software teams generate code at a rate faster than security can validate it. One way to win the race: more AI.

Learn More about Can AppSec keep pace with AI coding?
Can AppSec keep pace with AI coding?

LLMmap puts its finger on ML attacks

Researchers show how LLM fingerprinting can be used to automate generation of customized attacks.

Learn More about LLMmap puts its finger on ML attacks
LLMmap puts its finger on ML attacks
Finger on map