The Challenges of Rolling Out Threat Modeling at a Large Company

The challenges of rolling out threat modeling at a large company are many. In this article, I’ll explain these challenges and present potential solutions. These are not the only challenges, and these are not the only solutions. But they’re a good starting point.

If you don’t know what threat modeling is, check the following link:

• What is Threat Modeling

Threat Modeling Training at Scale

• Challenge: It is difficult to teach a large group of people about threat modeling, which is needed in order to roll out threat modeling effectively. The group should include all relevant professionals that work on changes and development within the company (think developers, project or program managers, product owners, testers, business analysts, business owners, etc.) If there are hundreds of change/development (or DevOps) teams, thousands of people need training.
  • Solution: Develop and roll out a standardized learning program that teaches threat modeling. The standardized learning program should use a variety of videos, written materials, and interactive sessions with threat modeling coaches. Participants (those from change/development/DevOps teams) should follow the training and receive a digital certificate upon completion. The company should monitor whether team members have completed the training. The result of completing the training should mean that participants can perform threat modeling according to the standardized threat modeling methodology developed by your company.

Threat Modeling Methodology

• Challenge: It is difficult to pick a suitable threat modeling methodology (such as STRIDE threat modeling, PASTA threat modeling, a custom method, etc.) that works well across hundreds of teams, given that they have many different situations and use cases. For example, one team may develop its software with its code base, and another team may use Commercial off-the-Shelf Software (COTS). One team may be very good technically and have a good understanding of security, and another team may have limited knowledge.
  • Solution: Pick a clear, not overly ambitious threat modeling methodology based on a standard, and customize it for your company. Develop the methodology with the expected backgrounds, technology stacks, and technical knowledge in mind. Make sure that the training includes enough time and an explanation of the methodology so that teams understand how to use the methodology, and how it helps them to improve their security. The methodology used shouldn’t be too ambitious (to start with), otherwise, teams will have difficulty in applying threat modeling independently.

Management Buy-In for Threat Modeling

• Challenge: It is difficult to get management buy-in to roll out threat modeling as an extra security activity, on top of other security activities such as penetration testing, security compliance, (developing and checking) security baselines, security code reviews, etc. Management often does not immediately understand the benefit of threat modeling.
  • Solution: Clearly explain and demonstrate the added value of threat modeling. Management needs an explanation of the qualitative benefits of threat modeling, along with actual results showing this is the case – the most suitable results include security requirements that are actually implemented in a product or service (which would otherwise not be implemented without threat modeling). Threat modeling provides measurable threats, which may negatively impact an application, and measurable security requirements (countermeasures), which positively impact the security posture of an application or IT system.

Manual Threat Modeling Versus Automated Tool Based Threat Modeling

• Challenge: It is difficult to use manual threat modeling methods (manual threat modeling means using something like Confluence, Miro, or a white-boarding tool, as opposed to a specialized threat modeling tool), because the results stay in the relevant tool or white-board, and become lost, have various access rights issues, and lack standardization.
  • Solution: Use tooling-based automated threat modeling solutions. Tooling-based threat modeling solutions provide:
    • Create threat models according to a standardized approach.
    • Easier to roll-out to many professionals (within many DevOps teams).
    • Easily keep track of threat models.
    • Easy to measure results (i.e., number of threat models created, number of threats identified, number of security requirements developed, number of security requirements actually implemented, etc.).
    • Identify potential threats more efficiently.
    • Identify potential security requirements more efficiently.
    • Many more!

Threat Modeling Reporting and Metrics

• Challenge: It is difficult to set up a clear threat modeling process with standardized metrics, which is needed in order to show progress and results within the company.
  • Solution: Make sure to set up processes that can be measured clearly and effectively. This can be achieved by having clear definitions of what it means to complete a threat model, what it means to define potential threats, and what it means to define security requirements. Remember, potential threats and security requirements are the key success metric of a threat model. Make sure that you develop reports that contain these metrics, and that these reports are shared within the company and with management.

The Challenges of Rolling Out Threat Modeling at a Large Company Conclusion

Rolling out threat modeling is not easy. And rolling out threat modeling at a large company is even harder simply due to sheer scale!

In this article, I presented four challenges and solutions for rolling out threat modeling at a large company. There are more challenges and solutions, but this is a great start on your journey.