or Whiteboard Hacking
Threat Modeling is the best way to expose and analyze risk in system designs.
Coming from the field of application security, it has become a widely used way of analyzing any IT or OT system for weaknesses. In fact, Threat Modeling has become ‘a must’ in compliance heavy industries such as Automotive and Medical Device Manufacturing (MDM). The Federal Drug Administration (FDA) requires MDMs to threat model during the design phase of new systems or they are just not allowed to go to market!
We also call Threat Modeling ‘White Board Hacking’ because it brings system owners, architects, designers and developers around the table. It engages them in a structured way to take a deep look at the structure of the IT system and use scenarios and risk pattern to find stress points and vulnerabilities.
Threat modeling is the way to avoid risks in your systems upfront. Without threat modeling your protection is a shot in the dark and you will only know your vulnerabilities once someone exploits them.
Learn how we Threat Model at our clients:
Why Threat Model?
Threat modeling doesn’t take the need for penetration testing away. Rather, it guides penetration testing efforts and makes sure some vulnerabilities don’t appear at all.
Threat Modeling allows to talk about risk in a structured and guided way, using ‘risk patterns’ that are relevant to the system (such as privacy, industrial security, safety).
Some of the benefits of Threat Modeling are:
- TM brings business and IT to the table in a focused discussion.
- It allows for a high level security risk assessment methodology and risk matrix to be directly applied to a design, bridging the gap between
security governance and design.
- It creates a living piece of security documentation that can evolve with the system. When the system is changed, the Threat Model is updated to reflect a new reality.
- It clearly shows how complex systems are linked and dependent on external systems, which may be a weakness.
- A Threat Model enhances the value of penetration testing, by highlighting areas of interest, where penetration tests should be focused.
Very simple. Toreon has been at the forefront of Threat Modeling internationally, having trained hundreds of professionals in our Threat Modeling training. Our experts in application, IT system and OT architecture have Threat Modeled countless systems, including:
- SaaS software
- Critical business applications
- OT environments such as smart energy networks, wind turbines and all kinds
- Process industry systems
- Nuclear environments
- Privacy sensitive systems
Our expertise combined with our clients’ intimate knowledge of their systems, together have created safer and more secure systems worldwide.
Need help Threat Modeling your system or application?
Leave your contact details and an expert will be in touch.
Learn more about Threat Modeling
In our May edition of the TMI newsletter we show off The AI Attack Surface Map, a resource for thinking…
In this blog post, we will explore how OWASP SAMM threat modeling can take security practices from “good” to “great”…
In this edition, we get a take a look at the Developer-driven threat modeling at OutSystems