Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
For those just starting with threat modeling, try starting small and targeting low-hanging fruit as you begin integrating it into the security development lifecycle. As your program develops, we suggest moving from ad hoc models to reproducible assessments.
Threat modeling requires resources; be ready to assign team hours to this process. As your organization gets started you should expect to see gains from performing informal STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of
Service and Elevation of Privilege) tabletops with the development team. This piece provides guidance for reaching three levels of threat modeling maturity.
While many threat modeling frameworks, such as STRIDE or PASTA (Process for Attack Simulation and Threat Analysis) exist, most are written as high-level guides for what to consider in a threat modeling exercise. There are, unfortunately, few references
describing how to use these frameworks to rate an organization’s maturity. Admittedly, this is a bit of a “square peg, round hole” problem—these frameworks were never meant to be used for evaluating threat hunting maturity
(or advancing it).
We find that the best existing model to adapt for general threat modeling maturity is the OWASP Software Assurance Maturity Model (SAMM). The SAMM is divided thematically into “streams,” each of which covers some component of software assurance.
The SAMM is a natural choice for our purposes because it includes a threat assessment stream and evaluation criteria have been made public by OWASP. The roadmap section of the SAMM scorecard provides some maturity guidance that will be used in this
The OWASP SAMM Threat Assessment practice is composed of two streams:
While the focus here will be on the threat modeling stream, organizations are encouraged to examine the application risk profile stream as well. It is difficult to adequately threat model when the risks the organization considers acceptable aren’t
defined in advance.
READ: Creating an Effective Cyber Threat Intelligence Framework
The maturity levels defined in OWASP SAMM for the threat assessment practice are as follows, in increasing maturity order:
The maturity levels defined for the threat modeling stream are as follows, again, in increasing maturity order:
In the remainder of this section, we will address action items for moving between maturity levels.
In the starting state, the organization is yet to create any formal threat modeling program but recognizes the need to begin creating such a program.
In maturity level one, only those applications which are defined as “high risk” to the organization receive formal threat modeling. The organization creates a formal threat modeling checklist to standardize the process. The STRIDE framework works well for this checklist because it is easy to remember and high-level enough that it can cover risks from almost any application.
At this maturity level, new architectural and dataflow diagrams are not being generated. Instead, the organization makes use of existing documentation and applies frameworks like STRIDE. The outcomes of threat modeling sessions are captured and stored
for later use. At this maturity level, most organizations will codify this in a document that is stored with other program management-related documents.
In this state, the organization has already completed the activities at level one and wants to mature to level two. Most organizations today do not fully embrace the activities at this maturity level.
The two key changes in this phase are expanding the scope of which applications receive threat modeling and formalizing the threat modeling process. Action items, including diagramming flaws and mitigations, are discussed below.
In this state, the organization has a fairly comprehensive threat modeling program and wants to mature to the highest level of threat modeling maturity. Very few organizations achieve this level of maturity. The resources required to mature to this level
should only be expended if other streams in the OWASP SAMM are already at or approaching maturity level two.
The key changes in this phase are incorporation of feedback to facilitate improvement, implementation of periodic reviews to existing threat models and automation (where possible).
Using the steps laid out in this piece, your organization can begin integrating threat modeling activities into its security development lifecycle. Those already performing threat modeling can use these steps to mature their process.
Threat modeling has obvious benefits, but it can be hard to get a program off the ground. Start small and don’t let ‘perfect’ stand in the way of measurable progress. The largest security gains in any application will come from just
performing an informal STRIDE tabletop with the development team.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
February 21, 2024
By IANS Research
Learn why cloud IR is critical to security and not just another box to check. Find guidance to get started building a strong cloud IR program.
February 15, 2024
By Alex Sharpe, IANS Faculty
IANS Faculty member Alex Sharpe discusses the risks around AI adoption and provides governance guidance to make your AI launch safe and mitigate risk.
February 13, 2024
By IANS Faculty
Learn how to how to use NIST to modify secure baseline configurations to account for risk and improve security posture.