Threat modeling is a top priority in 2021 according to 79 percent of respondents to a new survey, yet many organizations are still falling short in taking action or updating their approach.
The research from Balanced Development Automation (BDA) platform Security Compass shows that traditional threat modeling practices are historically slow, and hinder an organization’s goals of getting applications to market quickly.
Additionally, over half of respondents report issues when trying to integrate the modeling process into their existing technologies. Only 25 percent of survey participants indicate their organizations conduct threat modeling during the early phases of software development requirements gathering and design, before proceeding with application development. Less than 10 percent perform threat modeling on 90 percent or more of the applications they develop, most commonly they test between 50-74 percent of their applications.
Over 60 percent of organizations believe that all aspects of their organization’s threat modeling could be fully automated, yet only 28 percent have reached that threshold. More than half say they face challenges in automating and integrating their threat modeling activities with other technologies, with 41 percent of respondents thinking that it takes too long.
The COVID-19 pandemic has highlighted issues too. Over 80 percent of organizations have had to make moderate to significant changes to their cybersecurity approach as a result of COVID-19, while more than 84 percent report making cybersecurity changes because of supply chain vulnerabilities. However, 31 percent of companies do threat modeling on less than half of the applications they develop associated with their supply chain.
“Software is being used in almost every aspect of everyday life, making it essential for organizations to be equipped with the necessary resources to perform timely threat modeling on the applications that they develop and deploy,” says Rohit Sethi, CEO of Security Compass. “Threat modeling ensures that vulnerabilities are recognized and remediated before they become a problem. Security Compass is hopeful that by providing the industry with detailed insights into the state of threat modeling, more organizations will self-assess, identify areas where they can automate and improve their existing approach to threat modeling, and ultimately improve their overall security posture.”
You can get the full report on the Security Compass site.