The term threat modeling, at first, may sound like something very complex and tedious to perform. However, once understood, it is indeed a simple task.
Let's try to break down the two words, threat and model. The following are the dictionary meanings of both the words:
Threat: A person or thing likely to cause damage or danger Model: A system or thing used as an example to follow or imitate
Now, combining both the words again, what do they mean collectively? Threat modeling is nothing but a formal way to identify potential security issues. Let's take a very simple example to understand this. Lets use the example of a medieval fort.
The fort is the place where the king resides and requires stringent security against his enemies. So, while the architects would design the structure of the fort, they would also need to consider various threats that may compromise the security of the fort.
Once the architects identify the possible threats, then they can work upon mitigating the threats by various possible means. Some threats to the fort might be the following:
- Enemy attacking through the rear where the fort is less guarded
- Enemy firing a cannonball at the walls of the fort
- Corrosion and wear and tear of the fort walls due to extreme weather
- Enemy elephants forcibly breaking the main entrance door of the fort
We just prepared a threat model for an ancient fort. It was simple; we tried to think of all the possible ways through which the security of the fort could be compromised, either intentionally or unintentionally. Similarly, a threat model must be prepared while constructing a President's house or any important administration office.
From the preceding example, we can understand that threat modeling is a generic concept that can be applied to any area or field where security is a requirement. Since this book deals with information security, we'll discuss how a threat model needs to be prepared for a given information system.
Threat modeling can be most effective and beneficial if done during the design phase of the development lifecycle. The cost of fixing bugs significantly rises in the later stages of SDLC.
Threat modeling is very commonly used in the software development life cycle. It enables the participants in the software development process to efficiently create and deliver secure software with a greater degree of confidence that all possible security flaws are understood and accounted for.
The benefits of threat modelling
For any given project, it is always helpful to understand the threats that may hinder the overall progress. Threat modeling does the exact same thing. Some benefits of threat modeling are :
- Threat modeling produces software that is inherently secure by design—if the threat modeling is done right in the design phase, then the end product will become inherently secure against most common potential threats.
- Threat modeling allows us to think and discuss product security in a more structured way—instead of discussing security threats in an ad-hoc manner, threat modeling offers a more formal and structured way of enumerating and documenting security threats.
- Threat modeling permits development teams to effectively identify and define security flaws early in the SDLC process.
- Threat modeling allows us to document and share application security knowledge—with technology upgrading at a rapid pace, the threat landscape is changing at a fast pace as well. Ongoing threat modeling exercises will help ensure that the latest threats are being considered and anticipated for designing mitigating controls.
- Threat modeling increases customer confidence from a security perspective— documented evidence of the threat modeling process being followed would certainly boost customer confidence in the security of the system delivered.
- An ongoing threat modeling exercise would help reduce the overall attack surface area.
- Threat modeling can help in quantifying security controls, making it more practical to align with the security budget.