or Whiteboard Hacking
Threat Modeling is the best way to expose and analyze risk in system designs.
Coming from the expert field of application security, it has become a widely used way of analyzing any IT or OT system for weaknesses. In fact, Threat Modeling has become a must in compliance heavy industries such as Automotive and Medical Device Manufacturing (MDM). The Federal Drug Administration (FDA) requires MDMs to threat model during the design phase of new systems or they are just not allowed to go to market!
We also call Threat Modeling ‘White Board Hacking’ because it brings system owners, architects, designers and developers around the table. It engages them in a structured way to take a deep look at the structure of the IT system and use scenarios and risk pattern to find stress points and vulnerabilities.
Threat modeling is the way to avoid risks in your systems upfront. Without threat modeling your protection is a shot in the dark and you will only know your vulnerabilities once someone exploits them.
Why Threat Model?
Threat modeling doesn’t take the need for pentesting away. Rather, it guides pentesting efforts and makes sure some vulnerabilities don’t appear at all.
Threat Modeling allows to talk about risk in a structured and guided way, using ‘risk patterns’ that are relevant to the system (such as Privacy, industrial security, safety).
Some of the benefits of Threat Modeling are:
- TM brings business and IT to the table in a focused discussion.
- It allows for a high level security risk assessment methodology and risk matrix to be directly applied to a design, bridging the gap between
security governance and design.
- It creates a living piece of security documentation that can evolve with the system. When the system is changed, the Threat Model is updated to reflect a new reality.
- It clearly shows how complex systems are linked and dependent on external systems, which may be a weakness.
- A Threat Model enhances the value of penetration testing, by highlighting areas of interest, where penetration tests should be focused.
Very simple. Toreon has been at the forefront of Threat Modeling internationally, having trained hundreds of professionals in our Threat Modeling training. Our experts in application, IT system and OT architecture have Threat Modeled countless systems, including:
- SaaS software
- Critical business applications
- OT environments such as smart networks, windmills and all kinds of process industry
- Nuclear environments
- Privacy sensitive systems
Our expertise combined with our clients’ intimate knowledge of their systems, together have created safer and more secure systems worldwide.
Need help Threat Modeling your system or application?
Leave your contact details and an expert will be in touch.
Stop shooting in the dark
Threat modeling – also called Architectural Risk Analysis – is an essential step in the development of your application. Without it, your protection is a shot in the dark. Download our whitepaper and discover how to do threat modeling right.