Toreon Office | Grotehondstraat 44 1/1 - 2018 Antwerpen | +32 3 369 33 96
29th Edition – October 2023
We’re back once again with another packed edition of our Threat Modeling Insider! This month’s edition features a guest article by Nick Kirtley, co-founder of Aristiun, and author of threat-modeling.com, where he tackles the 5 biggest challenges of rolling out threat modeling within an enterprise-sized company.
But that’s not all of course, let’s take a look at what else we have in store for this month’s edition:
We’re back once again with another packed edition of our Threat Modeling Insider! This month’s edition features a guest article by Nick Kirtley, co-founder of Aristiun, and author of threat-modeling.com, where he tackles the 5 biggest challenges of rolling out threat modeling within an enterprise-sized company.
But that’s not all of course, let’s take a look at what else we have in store for this month’s edition:
Guest article
5 Challenges of Rolling Out Threat Modeling within an Enterprise-Sized Company
Written by Nick Kurtley.
Curated content
An Introduction to Threat Modeling by Microsoft
Curated content
Threat Modelling Cloud Platform Services by Example: Google Cloud Storage
Tips & Tricks
You shall not pass: the spells behind Gandalf
By Max Mathys, Lakera.ai
Training update
An update on our upcoming training sessions.
Rolling out a threat modeling program within an enterprise-sized company is a big and difficult task. The difficulty lies in dealing with the scale involved, the sheer number of people and stakeholders, working with many internal processes, and integrating within (DevOps) development processes just to mention a few factors.
The following are 5 key challenges in rolling out threat modeling with an enterprise-sized company and (potential) solutions.
Before we even begin rolling out threat modeling within an enterprise-sized company, we must get senior management buy-in. This is needed because threat modeling requires time and resources. Getting buy-in is challenging because senior management, and to some extent some other security practitioners, do not see the benefit of performing threat modeling in addition to other security activities (such as compliance reviews, code reviews, pentesting, and more).
Solution(s): Start with a Proof of Concept (PoC), or threat modeling at a small scale. Ensure that the small-scale threat modeling shows added security value in the form of threats and countermeasures that were previously not identified and ideally show the countermeasures have been identified and implemented. Once security-added value is shown, ensure that the relevant teams and senior management are aware via presentations and talks. Do not underestimate how much effort is required in ‘selling’ threat modeling.
If you’re rolling out threat modeling to dozens or even hundreds of (DevOps) teams, providing adequate training at that scale can become time-consuming. This applies whether you’re doing manual threat modeling or tool-based threat modeling. Training is required for newly onboarded teams, but also on an ongoing basis because teams face attrition, onboarding of new hires, and other changes.
Solution(s): Create videos or interactive trainings covering threat modeling basics. The training should also include how threat modeling is performed within the company, and the steps involved. For manual threat modeling, consists of explaining the templates used, the manual steps involved, etc. For tool-based threat modeling, that consists of explaining how the tool works, how the main features work, etc. Ensure there is still instructor training after the videos or interactive training. Creating videos and interactive training aims to reduce instructor training time, not to remove it completely.
Enterprise-sized companies, especially those with a mature security program, have many existing security activities such as creating and enforcing security policies, performing security compliance reviews, pentesting, code reviews, vulnerability management, and more. When performing threat modeling, some threats that are identified will get the feedback that another security process already covers them, and thus the team will not spend further time on it.
Solution(s): Explain to teams that newly identified threats and countermeasures may overlap other security capabilities, or existing security requirements and that they should keep an open mind while threat modeling. Threat modeling may identify gaps that have not previously been identified (even if other security processes cover these).
Note that threat modeling may uncover structural gaps in other parts of the security program. If that is the case, ensure that these gaps are highlighted at the right level within the security organization.
Within an enterprise-sized company, (DevOps) teams build applications using many centralized security services and thus do not have to build these features themselves. For example, a typical enterprise application uses a centralized identity & access management system, a centralized security logging & monitoring solution, a centralized backup & recovery solution, and so on, instead of building these solutions themselves. In fact, many teams even receive pre-hardened and approved components like databases and APIs.
This can make threat modeling more challenging because teams will have difficulty thinking about potential threats in cases where another centralized team is providing the bulk of a capability.
Solution(s): When a centralized security service is provided to (DevOps) teams, it must still be consumed effectively. The (DevOps) team should be instructed to think about 1) effectively consuming the centralized security services and 2) thinking about the boundaries of the centralized security services, and the application being built by the (DevOps) team.
The threat modeling team should think carefully about this situation and provide effective guidance.
Furthermore, when threats and countermeasures are assigned to individuals and teams, they must be assigned to the correct responsible party.
Major security activities such as threat modeling require reporting and dashboarding to show relevant stakeholders the current state, the progress made, the current risks, etc. For threat modeling, reporting can be used to sell progress made and to highlight added security value.
It can be difficult to determine which metrics should be used to show the current state of threat modeling. Specifically, the metrics for threats and countermeasures can confuse stakeholders:
(DevOps) teams often struggle to implement security measures that are not required or mandatory.
Note that ideally, threat modeling reporting shows that threats are identified that would otherwise go unnoticed, and that countermeasures are actually implemented by teams, thus solving the threat, and reducing overall risk.
These are 5 challenges and their respective solutions for rolling out threat modeling within an enterprise-sized company. Note that each threat modeling program, and even security program is unique and may present other threat modeling challenges.
We have a feeling you might be interested in Threat Modeling, since you’ve been reading this newsletter. If you’re new and you would like to take your first steps in Threat Modeling, but have been hesitant to take them, then you should definitely consider the ‘Introduction to Threat Modeling’ course offered by Microsoft Learn.
Take a deep dive into this case study where threat modeling is applied to GCP’s Google Cloud Storage service using the STRIDE model. Learn how to secure your systems and applications on GCP, while gathering general security best practices on cloud services.
We have a feeling you might be interested in Threat Modeling, since you’ve been reading this newsletter. If you’re new and you would like to take your first steps in Threat Modeling, but have been hesitant to take them, then you should definitely consider the ‘Introduction to Threat Modeling’ course offered by Microsoft Learn.
Take a deep dive into this case study where threat modeling is applied to GCP’s Google Cloud Storage service using the STRIDE model. Learn how to secure your systems and applications on GCP, while gathering general security best practices on cloud services.
The game Gandalf challenges you to extract a secret password from a large language model (LLM). It has seven levels of increasing difficulty, where different defenses are used to prevent the LLM from revealing its secrets to you. By playing Gandalf, you can gain a better understanding of the vulnerabilities of LLMs and how they can be exploited for malicious purposes. This information can be useful to a Threat Modeler who is responsible for identifying and mitigating security risks in AI systems.
By understanding how LLMs work and what kind of attacks they are vulnerable to, you can design better defenses against these attacks and ensure the security of your systems. Even if you are not knowledgeable about LLMs as a Threat Modeler, you can still benefit from playing Gandalf by learning about the different types of attacks that can be launched against LLMs and how to defend against them. This knowledge can help you identify potential security risks in your systems and take appropriate measures to mitigate them.
Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by OWASP Global AppSec, Washington DC, USA
Next training dates:
1-2 November 2023
Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat Europe, London
Next training date:
4-5 December 2023
Threat Modeling Practitioner training, hybrid online, hosted by DPI
Next training date:
4 December 2023
Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by OWASP Global AppSec, Washington DC, USA
Next training dates:
1-2 November 2023
Advanced Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat Europe, London
Next training date:
4-5 December 2023
Threat Modeling Practitioner training, hybrid online, hosted by DPI
Next training date:
4 December 2023
