Threat modeling is a structured approach that aims to identify and prioritize potential threats and vulnerabilities in software applications. It involves identifying potential attackers, their motivations, and the methods they might use to exploit vulnerabilities in a system. The goal is to identify potential security risks early in the software development life cycle (SDLC) so they can be addressed before software is deployed. Threat modeling methods create artifacts including
Maximize your software security by implementing or improving threat modeling in the SDLC with our actionable roadmap. This eBook examines six activities and debunks threat modeling myths.
Threat modeling works by identifying the types of threat agents that cause harm to an application or computer system. It adopts the perspective of malicious hackers to see how much damage they could do.
When conducting threat modeling, organizations perform a thorough analysis of the software architecture, business context, and other artifacts (e.g., functional specifications, user documentation). This process enables a deeper understanding and discovery of important aspects of the system.
Typically, organizations conduct threat modeling during the design stage (but it can occur at other stages) of a new application to help developers find vulnerabilities and become aware of the security implications of their design, code, and configuration decisions. Generally, developers perform threat modeling in four steps.
When performed correctly, threat modeling can provide a clear line of sight across a software project, helping to verify security efforts. The threat modeling process helps an organization document security threats to an application and make rational decisions about how to address them.
A well-documented threat model provides assurances that are useful in explaining and defending the security posture of an application or computer system. Threat modeling is the most effective way to
As a security process, threat modeling is subject to several misconceptions. Some people believe threat modeling is only a design-stage activity, some see it as an optional exercise for which penetration testing or code review can substitute, and some think the process is simply too complicated. Here is why these misconceptions should be dispelled.
Threat modeling promotes security understanding across the whole team. It’s the first step toward making security everyone’s responsibility. Conceptually, threat modeling is a simple process. So consider these five basic best practices when creating or updating a threat model.
Figure 1: Security model of a system
Historically, threat modeling was a manual activity in which security experts and stakeholders drew diagrams on whiteboards. However, with the adoption of DevSecOps, security teams are under significant pressure to keep up with the fast and frequent releases of development and minimize security friction, leading to the adoption of automation practices.
Automated threat modeling practices should act as a supplement to the threat modeling engineers on staff. Human oversight is essential because designing a system model that a computer can analyze is complex. The most efficient way to scale threat modeling is to have an experienced human build the threat model and use AI to process and interpret relevant data, with human oversight throughout the process.
Types of data that AI can process and interpret include
Remember, AI can only interpret the data provided to it, and if the data going into the AI system is flawed, the results will reflect that.
Synopsys software security services include threat modeling, which can identify weaknesses including secure design violations, security control omissions, and control misconfiguration, weakness, and misuse. The Synopsys approach to threat modeling adheres to three steps.
Figure 2: Synopsys threat modeling approach
System modeling consists of two parts.
Conduct a threat analysis
Perhaps the most important activity in threat modeling is identifying threats. Most approaches fall into two categories.
Synopsys threat analysis uses an approach consisting of a checklist to drive the core analysis but that still leaves the opportunity for creative analysis. Synopsys uses a predefined application protocol threat analysis for commonly used application-level protocols, such as OAuth, SAML, OIDC, Kerberos, password-based authentication, and others. This list is not exhaustive, but it allows you to start thinking about areas of concern to analyze.
Prioritize threats
After we model the system and conduct a threat analysis, we generate a list of threats and then prioritize them. At Synopsys, we use the NIST approach to prioritizing threats, using guidelines for quantifying the likelihood and impact of each threat to determine severity.
Threat modeling is applicable at any stage of the software development life cycle, but incorporating it early in the software development process will ensure that your organization is building security into your applications. At Synopsys, we recognize that organizations have different risk profiles and tolerances, so we customize our threat modeling services to meet your budget and needs.
- This glossary was verified by Chai Bhat.
Chart a systematic path to your security goals
Get an actionable roadmap for your security and development teams