The 2021 State of Threat Modeling: An interactive e-book publication

Introduction

With cybersecurity threats rising at an alarming rate over the past year, enterprises that build applications are increasingly realizing the necessity of adopting a security posture built on precautionary principles. With cyberattacks, it is no longer the case of “will it happen?” Rather, applications are more likely than not to come under many and varied cybersecurity attacks. 

As a result, engineers of complex software systems have a burden of proof that what they create is safe from its onset rather than determining if it represents an unintended danger after the fact. Criminals are “innocent until proven guilty”; software applications are “guilty until proven innocent”.

This asymmetry between cybercriminals versus software developers is also apparent with respect to time and resources. While skilled cybercriminal groups can have seemingly unlimited time and resources at their disposal, software engineers are under constant pressure to bring their applications to market.

Addressing these imbalances, threat modeling has become core to ensuring applications can withstand future attacks. It is essential from the onset of the software development lifecycle to anticipate where attacks are likely to come from and to prescribe controls to mitigate risk from these threats. Additionally, it is essential that much of this process becomes automated, to ensure that time to market for new applications, and upgrades to existing systems, are not compromised.

To understand the current state of threat modeling and the challenges large enterprises encounter with the applications they build and deploy, Security Compass commissioned a comprehensive study on the topic.

Current State

The image has three sections: Priority 2021, How Often Threat Modeling is Performed, and Expected Growth in 2021. The first chart shows 79% as a top priority, 21% working on it but not a top priority, and 0% not a top priority for this year. The second chart shows threat modeling is typically done every release (58%), only once (28%), or every year (14%). The third chart shows 71% expect to grow, 25% to stay the same, and 4% to shrink in 2021.

Threat modeling is a key priority for most software development functions in large enterprises throughout the US and UK, with expected growth in the practice throughout 2021. Nonetheless, over a quarter of companies perform threat modeling only once on the applications they develop.

Building Cyber Resilience

There is little consistency within or across sectors on how many applications Threat Modeling is performed on.

This bar chart illustrates the percentage of applications built that threat modeling is performed on: 0% less than 10%, 4% between 10% and 24%, 30% between 25% and 49%, 39% between 50% and 74%, 19% between 75% and 90%, and 8% more than 90%.

Supply chains may be particularly vulnerable, as threat modeling is only performed a third of the time on the supply chain associated with apps that large enterprises develop.

The majority, however, do not start soon enough, during requirements gathering and design.

This bar chart shows when threat modeling is typically performed in the SDLC: 6% during requirements gathering, 19% during design, 51% during development, 16% during testing, 6% during deployment, and 2% during maintenance.

Challenges

This image contains two sections. The first chart lists internal threat modeling challenges: difficulty automating integration with other technologies (56%), lack of consistency (43%), too time-consuming (41%), too manual (37%), lack of skilled resources (20%), and not high enough of a priority (18%). The second pie chart shows the amount of change companies experienced in their approach to cybersecurity due to COVID-19: 48% great deal of change, 34% moderate change, 13% no change, and 5% don’t know/not sure.

New Technology Impact

This bar chart shows the impact of new technologies on threat modeling. Categories include Machine Learning (41% great deal of change, 37% moderate change, 17% no change, 5% don’t know), AI, Robotics, IoT, Employee Collaboration Tools, Blockchain, Video Conferencing Tools, NLP, Chatbots, Biometrics, and Geolocation Tracking, with varying percentages for great deal of change, moderate change, no change, and don’t know.

As the interactive graph above shows, Machine Learning and AI have had the largest impact on threat modeling approaches overall. In companies where TM is a Top Priority these two technologies have caused even greater changes to threat modeling.

By contrast, in companies where TM is Worked on But Not a Top Priority, Blockchain has been the source of a great deal of change.

Automation

Having Threat Modeling fully automated is key, especially to companies that have made Threat Modeling a key priority in 2021.

This bar chart shows the extent of automation in threat modeling: 28% fully automated, 43% majority automated, 23% an even mix of automation and manual processes, 4% majority manual, and 1% all manual.

This bar chart illustrates the potential for automating threat modeling: 61% believe all could be automated, 26% the majority could be automated, 11% an even mix of automation and manual processes, 1% majority needs to be manual, and 0% all needs to be manual.

 

Conclusion

Recognizing that many of the breaches and vulnerabilities that occur with software products are a result of human error in design, it is critical to build security into the software development lifecycle from the very beginning. At the same time, security and risk practitioners need to balance their responsibility to mitigate risk with their organization’s need for delivering software to users in a timely fashion.

Meeting the competing demands for more focus on cybersecurity during software development alongside time to market pressures, the automation of threat modeling has become key. Doing so at the beginning of the software development lifecycle for all applications deployed, not just the ones considered “business critical,” and repeating it with every new release is essential to staying safe and secure in an increasingly hostile digital world.

Many large enterprises are now achieving this balance, bringing secure software to market that is both secure and timely in meeting their customers’ needs.