10 tips for building an enterprise threat modeling program

Threat modeling has been taken up by many cybersecurity programs over the past few years. Now, with the release of the Threat Modeling Manifesto and an industrywide movement toward Secure by Design, threat modeling has the attention of enterprise management.

Security teams must now map out an actionable threat modeling program. Here are 10 key tips for how to build a proper foundation for a threat modeling program in the enterprise.

Related: Threat Modeling and Supply Chain: An Essential Tool Webinar: Threat Modeling and Supply Chain: Why It Matters More Than Ever

1. Choose a solid process

The first tip is to choose a process that will do the job of threat modeling well. For example, you might consider Adam Shostack’s excellent four-question framework for threat modeling, but that isn’t a threat modeling process. In the enterprise, you need more depth, since you will magnify the process across tens, hundreds, or thousands of engineers, depending on your organization's size.

A simple process with more detail considers five key aspects of a threat modeling process: scope, draw, analyze, mitigate, and document. With scope and draw, you answer Shostack’s question, “What are we building?” The scope step helps engineers understand the level of effort involved in a threat model up front so that they don't try to bite off too much at once. Draw leads engineers into the data flow diagram representation, which is based on polling of threat modeling communities worldwide and appears to be the most prevalent representation is use.

Analyze answers the question, “What can go wrong?” It's the step where engineers consider the potential threats by iterating through a diagram using a methodology such as STRIDE (a mnemonic name derived from "spoofing, tampering, repudiation, information disclosure, and elevation of privilege").

Mitigate answers the question, “What are we going to do about it?” In this step, engineers focus on applying mitigations to the identified threats.

The process concludes with document, so that the organization maintains a copy of the threat modeling output. Storing the work ensures that there is a starting point for consideration when revisiting a model in the future.

2. Embrace STRIDE

STRIDE is a simple but powerful methodology that is easy to understand and internalize. Use it as a starting point to teach your teams how to threat model, and then graduate to more complex methodologies.

3: Embed threat modeling in the SDL

Threat modeling in the enterprise is about repeatability. Embed it as a defined activity within your secure development lifecycle (SDL). First, document the process at a high level and mandate the placement of the threat modeling artifacts inside existing deliverables (if they exist). Then, integrate threat modeling into the systems your teams use daily, such as the Jira and Asana tracking tools.

4. Focus on the mitigations

Getting caught up in the thrill of the hunt regarding threats can be easy. Focus your enterprise program and your teams on mitigations. A threat model is only as good as its ability to mitigate threats.

Measure the mitigations created within all the threat models across the organization. Mitigations are the key to measuring the ROI of threat modeling.

5. Threat modeling quality checks and governance

Institute a quality-control check for each threat model. The security team can perform only some of the quality checks, so it's good to have security champions in the enterprise to lower the amount of work for security.

Ask these questions for each threat model: Did the team that created the model follow the defined threat modeling process? Were interesting threats discovered? Did the team properly apply mitigations to those threats? Was the model documented correctly? If the answer to most of these questions is yes, the model is giving value to the organization. The answers are not a statement of model quality, though. Instead, they are an acknowledgment that all models offer value. Don’t be judgmental or harsh; build a strong security culture with your feedback.

After threat modeling reaches a level of maturity inside the enterprise, extend the SDL to have a governance angle to threat modeling. Mandate the production of threat models at a predetermined scoping level. Enforce threat modeling at the user-story level for all new features and refresh threat models every three months when changes exist to the component.

6. Build a diverse collection of threat modeling champions

The Threat Modeling Manifesto says that building a diverse group of threat modeling champions will cause the quality of your threat modeling output to soar. Each role within a team has a different perspective and set of experiences. Product managers see a feature differently than developers or testers do.

7. Workshop the teaching of threat modeling

To deploy threat modeling across the enterprise, tens to thousands of future threat modelers must prepare. Because threat modeling is better caught than taught, one of the best approaches to teaching threat modeling is the workshop method, where the concepts can be introduced at a high level before diving into performing exercises that put threat modeling into action.

8. Embrace threat modeling coaches

Threat modeling coaches are security team members or security champions working with groups for a limited time to teach the threat modeling process alongside the team. Coaches are a powerful construct because they magnify the threat modeling process across a long organization, one unit at a time.

9. Broaden your threat sources

After internalizing STRIDE across the organization, look for other sources of threat to consider. Additional sources provide more context and fodder for the teams as they consider how to go deeper into the threat modeling discipline. Two good choices are the Application Security Verification Standard (ASVS) from OWASP and Common Weakness Enumeration (CWE) from Mitre.

10. It's not just tools — it's a mindset

Tools are essential, but they do not replace the internalization of threat modeling's essence. Threat modeling is a state of mind that the program must teach. After threat modelers grasp why they threat model and how the process works manually, they are ready to embrace threat modeling tools.

Get started with a good foundation

Threat modeling in the enterprise can seem like an impossible task. With these 10 tips, you can build or adapt your program to transform every team member into a successful threat modeler.

Chris Romeo is CEO of the threat modeling company Devici. This post originally appeared on Threat Modeling Connect.