The State of Security by Design and Threat Modeling in 2024

Introduction

In today’s cybersecurity landscape, security by design is becoming a standard in software development. In this context, threat modeling plays a critical role in identifying, assessing, and mitigating potential security vulnerabilities in software systems as they are built. This report finds the majority of organizations that perform threat modeling do so from the the design stage of the software development life cycle, ‘shifting left’ to address security issues early. They are becoming executive priorities and Boards of Directors are requiring regular updates on their progress. The implementation of Threat Modeling is essential in over 70% of large (1$B+) and medium-sized ($200M to <$1B) enterprises in the UK and US . Notably, about a quarter of these companies apply threat modeling to three-quarters of their applications, along with secure coding guidelines as the predominant tool. Additionally, over half of the companies that implement threat modeling have a Security Champions program in place, which is generally found to be quite effective in fostering security awareness and practices.

Despite its integration and perceived importance, threat modeling faces significant challenges such as scalability and resource allocation, which impede its broader application. Training formats vary, with interactive hands-on and instructor-led training being the most popular, reflecting an emphasis on practical, application-specific learning. Although effective in reducing high-risk vulnerabilities and improving security team efficiency, keeping practices up-to-date and managing the costs associated with threat modeling are persistent hurdles. Investments continue to flow into training and technological solutions to improve security postures, reflecting the ongoing commitment to robust threat modeling practices.

Study Firmographics

A bar chart titled “Revenue by Geography” with two bars. The first bar represents the UK, accounting for 33% of the revenue. The second bar represents the US, accounting for 67% of the revenue.

A treemap chart titled “Sector by Geography” showing the distribution of sectors in the UK and US. Overall: Digital services & software 38%, Financial services & insurance 21%, Pharmaceuticals 13%, Manufacturing 13%, Retail 4%, Healthcare 4%, Utilities 2%, Telecom 2%, Energy 2%

This study provides a comprehensive management view on companies in the UK and US that undertake Threat Modeling across a broad array of industries.

Implementing Security by Design

Reducing risk is #1 followed by the need to meet regulatory and compliance standards. These findings hold for both the US and the UK. Medium sized enterprises place virtually the same weight on compliance and risk. The pharmaceutical sector differs from others in prioritizing the need to scale application security while meeting both regulatory and customer requirements.

A bar chart that shows the reasons for implementing Security by Design across different categories. Overall, 79% of respondents aim to reduce risk, 72% to meet regulatory/compliance requirements, 68% to scale application security, 58% to meet customer requirements, and 44% to reduce costs.

SDLC Stages for Implementing App Security

A noticeable “shift left” has occurred, with over half of companies conducting Threat Modeling at the Design Stage.

Graph illustrating the Software Development Life Cycle (SDLC) stages for implementing app security by company revenue. The stages include Design, Development, Testing, Deployment, and Post Deployment. For companies with revenue over $1 billion, percentages are shown for each stage, highlighting the importance and focus on security throughout the SDLC.

Leadership Support for Security by Design

Generally, senior leadership supports Security by Design including getting regular updates while Board of Directors mandate it but do not get into the details.

 

The bar chart visualizes leadership support for Security by Design. It shows that 66% of executive leadership fully support and request regular updates, while 42% of boards of directors do the same. About 33% of executive leadership support it in principle without getting into details, compared to 48% of boards. Only 3% of executive leadership and 10% of boards are not involved at all in security by design.

Security Champions

Over half of the companies who do Threat Modeling have a Security Champions program and of those who do, most find it quite effective.

Bar chart showing Security Champions and program effectiveness. Overall: 11% not sure, 33% no, 53% in works, 3% yes. Program effectiveness: 8% not effective, 13% slightly effective, 48% moderately effective, 31% very effective.

Threat Modeling Approaches

Bar chart showing expected growth from 2021 to 2024 by geography and revenue. Categories include grow, stay the same, and shrink with respective percentages

Bar chart showing the priority of threat modeling from 2021 to 2024. Top priority percentages are listed for each year with corresponding lower priority categories.

 

While Threat modeling is a key priority in 2024, for many companies it has become an integral part of software development. Hence, it continues to grow but has lessened as a separate “strategic priority”.

Frequency and Tools Used

A quarter of companies are conducting TM on 75% or more of their applications. Secure coding guidelines are by far the most commonly used TM tool in the US and UK, and for both medim and large companies.

Bar chart showing frequency of threat modeling from 2021 to 2024. Categories include less than 10%, 10-24%, 25-49%, 50-74%, 75-90%, and more than 90%.

Bar chart showing the usage of security, risk, and compliance tools: Secure coding guidelines (72%), SAST (55%), GRC tool (54%), SCA (37%), and others.

 

Scalability

All companies are making considerable efforts at scalable Threat Modeling processes, although the ability to fully automate the process is only claimed by one in ten companies doing TM

 

Bar chart showing threat modeling scalability measures: Compliance, Audit-ability, Accuracy/Reliability, Consistency, Scalability. Each measure has detailed breakdowns from 1-10, showing varying levels of compliance and automation.

 

Challenges

Bar chart showing internal threat modeling challenges for 2024 and 2023. Top challenges include staying current with new threats, scalability, resource constraints, and lack of skilled resources.

 

Bar chart showing the most challenging parts of security and compliance requirements. Staying up-to-date with current security (50%), increased scope (24%), lack of expertise (14%), unclear requirements (9%), time-consuming (2%).

 

Staying current both on new threats and the related security compliance and regulations to manage them are by far the biggest external and internal cybersecurity challenges.

Security Risks

While front end web applications pose the greatest security risk overall, there is quite a bit of variation between the UK and the US, and between medium vs. large sized enterprises. Identity and authentication is the largest security risk in the UK, data and file storage components for large enterprises.

Bar chart showing security risks by geography and revenue. High and very high risks are listed for front-end web app, data/file storage, identity/authentication, AI solutions, cloud components, and more.

 

Role Involvement in Threat Modeling

Dev Ops engineers are typically most actively involved in Threat Modeling although this varies by geography, with more Developers actively involved in the UK than in the US.

Bar chart showing role involvement in threat modeling by geography and revenue. External consultants: Overall 44%, UK 44%, US 52%. Development leadership: Overall 19%, UK 9%, US 11%. App security specialists and developers vary.

Challenges Versus Staying Up-to-date

While three quarters claim that their Guidelines are up to date, for those for who are not, the #1 reason is because “it takes too much time” to do so.

Bar chart displaying secure development guidelines status: 74% up to date, 26% often out of date. Challenges include time, scope, expertise, staying current, and unclear requirements.

Effectiveness of Threat Modeling

Generally, threat modeling efforts are viewed at effective. However, there is variability on this view across roles. Application security has a very positive view and by contrast, IT Infrastructure a less favorable one.

Bar chart showing effectiveness levels across different areas: Overall, compliance/audit/risk management, application security, software development, and I.T. infrastructure functions, ranging from not effective to extremely effective.

Measuring the Effectiveness of Threat Modeling

The majority of companies provide secure development training and of those who do, two thirds do so because it is mandatory for compliance. This finding was the same for the US and the UK. Large enterprises are more likely to provide it for all applications.

Bar chart indicating effectiveness measurement in different areas: Overall (85%), application security (94%), I.T. infrastructure (94%), software development (88%), and compliance/risk management (77%).

Training

The majority of companies provide secure development training and of those who do, two thirds do so because it is mandatory for compliance. This finding was the same for the US and the UK. Large enterprises are more likely to provide it for all applications.

Stacked bar chart illustrating the status of training in organizations: 60% provide it for all applications, 40% for some, with a small percentage not providing training.

Stacked bar chart showing developer security training requirements: 66% say it's mandatory for compliance, 32% say it's provided but not required, remaining segments for those wishing it existed or seeing no need.

 

Security Training Formats

Interactive hands-on training formats are the most popular overall followed by instructor led training. Notable difference in formats were seen between the US and the UK, with the latter much more likely to use self paced learning and JITT.

Bar chart listing preferred training formats: Interactive training (49%), instructor-led (45%), eLearning from catalog providers (45%), eLearning from software vendors (45%), self-paced (38%), and others.

 

Measurement Methods

Time savings is the most prevalent method of measurement. In the UK, reduction in the number of high-risk vulnerabilities is a much more common measure than in the US. In terms of differences by revenue size, large vs. medium corporations are much more likely to emphasize team efficiency improvement.

Bar chart depicting methods for measuring threat modeling effectiveness: Time saved in identifying/resolving issues (43%), reduction in high-risk vulnerabilities (41%), tracking vulnerabilities (41%), feedback from audits (40%), and more.

 

Allocating Budget for Threat Modeling

Bar chart showing how organizations allocate budgets for threat modeling: 64% for commercial tools, 60% for internal experts, 54% for internal tooling, 52% for consultants, 1% unsure. Cost details on fixes, frequency, and annual cost included.

 

Conclusion

As we look to the future, it’s clear that security by design is increasingly a necessity for enterprises producing software, with threat modeling an integral component of this approach. The 2024 report has underscored its pivotal role in shaping a mature security posture, highlighting the evolution from traditional methods to advanced, automated practices that significantly enhance both operational efficiency and cybersecurity. Our findings emphasize the growing importance of comprehensive training programs and the effective deployment of Security Champions, which have proven essential in fostering a security-conscious culture.

Strategic budget allocations towards threat modeling are showing a substantial return on investment, enabling organizations to optimize their security practices without compromising speed or innovation. These investments are crucial as they support the development of sophisticated tools and training that drive the effectiveness of threat modeling practices.

As threat modeling becomes more embedded in the software development lifecycle, its strategic importance in safeguarding digital assets while fostering innovation is becoming self evident. Security Compass remains committed to advancing these practices, ensuring that organizations can navigate the complexities of modern cybersecurity with confidence and agility.