DevSecOps and the Evolution of Threat Modeling
August 15, 2022

Archie Agarwal

Threat modeling has become an integral part of the software development process, providing developers with an opportunity to identify security threats and vulnerabilities and create logical remediation methods.

While threat modeling appears straightforward in concept, it features many variations and nuances in practice. The diversity of threats and vulnerabilities requires developers to evolve threat modeling practices to the current security landscape.

The ability to adjust to different threat environments is core to the concept of threat modeling. The process focuses on protecting a system in a risk-based way instead of simply following a standard checklist. Let's look more at threat modeling, how the practice started and how it continues to flourish today.

The Origins of Threat Modeling

In the mid-1990s, Microsoft engineers Praerit Garg and Loren Kohnfelder developed STRIDE, a mnemonic device for security threats that is seen as the first threat modeling process. STRIDE (which stands for: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege) works to remind developers of what threats a platform may face.

Since then the tools and models have improved and simplified threat modeling. Advancements in threat modeling include:

Data Flow Diagrams (DFD). These help visualize how data flows through a system, allowing developers to identify potential weak points in the security architecture.

OWASP PASTA. The Open Web Application Security Project's PASTA (process attack simulation and threat analysis) serves as a methodology that emphasizes identifying threat impacts earlier in the development process. It also recognizes that risks should be ranked based on their overall severity.

OWASP ASVA. ASVA (application security verification standard) is a checklist replacement for STRIDE. It goes beyond STRIDE and evolves to become more comprehensive.

Threat Modeling in Today's Environments

Today's threat modeling tools can automatically analyze infrastructure-as-code in a DevOps pipeline for threats and provide recommended remediation. As cyber-attacks continue to be on the rise, companies have begun to understand the importance of including security as part of their DevOps pipelines.

Too often, security was either left out of the development process or instituted later in later stages. The driving force was often speed, as DevOps environments pushed for quicker development times, leaving security as an afterthought.

Developers often lacked the proper skills to add security controls. Developer training has usually focused on application development and the ability to add functionality with security seen as a necessary — and often underdeveloped — evil that slowed execution.

With growing security threats, the practice of simply having security "bolted on" at the end does not work, especially in CI/CD pipelines. However, this can be challenging as security risks can arise during the integration stage until the DevOps model is fully implemented.

A Better Path Forward

Security practitioners continue to push security development left. The emergence of next-gen threat modeling and increased automated technologies during the development process will further add benefits.

When implemented correctly, threat modeling can create system-wide security improvements, knowledge sharing among teammates, proactive design guidance, and improved communication between stakeholders.

Threat modeling technologies continue to advance and move past the manual and outdated structures that developers long relied. Using automation, enhanced collaboration, and more robust libraries for threat model templates will improve the speed and scale of development.

As we continue forward, we will see a Github-ification of threat models. Developers will share threat models to improve overall development, allowing developers to create similar tools and the ability to communicate from a collective expertise.

Threat modeling has made tremendous strides in the past 25 years. As we move forward, continued advances will strengthen the process and bring a higher level of security to the DevOps process.

Archie Agarwal is Founder and CEO at ThreatModeler
Share this

Industry News

October 02, 2023

Spectro Cloud announced Palette EdgeAI to simplify how organizations deploy and manage AI workloads at scale across simple to complex edge locations, such as retail, healthcare, industrial automation, oil and gas, automotive/connected cars, and more.

September 28, 2023

Kong announced Kong Konnect Dedicated Cloud Gateways, the simplest and most cost-effective way to run Kong Gateways in the cloud fully managed as a service and on enterprise dedicated infrastructure.

September 28, 2023

Sisense unveiled the public preview of Compose SDK for Fusion.

September 28, 2023

Cloudflare announced Hyperdrive to make every local database global. Now developers can easily build globally distributed applications on Cloudflare Workers, the serverless developer platform used by over one million developers, without being constrained by their existing infrastructure.

September 27, 2023

Kong announced full support for Kong Mesh in Konnect, making Kong Konnect an API lifecycle management platform with built-in support for Kong Gateway Enterprise, Kong Ingress Controller and Kong Mesh via a SaaS control plane.

September 27, 2023

Vultr announced the launch of the Vultr GPU Stack and Container Registry to enable global enterprises and digital startups alike to build, test and operationalize artificial intelligence (AI) models at scale — across any region on the globe. \

September 27, 2023

Salt Security expanded its partnership with CrowdStrike by integrating the Salt Security API Protection Platform with the CrowdStrike Falcon® Platform.

September 26, 2023

Progress announced a partnership with Software Improvement Group (SIG), an independent technology and advisory firm for software quality, security and improvement, to help ensure the long-term maintainability and modernization of business-critical applications built on the Progress® OpenEdge® platform.

September 26, 2023

Solace announced a new version of its Solace Event Portal solution that gives organizations with Apache Kafka deployments better visibility into, and control over, their Kafka event streams, brokers and associated assets.

September 26, 2023

Reply launched a proprietary framework for generative AI-based software development, KICODE Reply.

September 26, 2023

Harness announced the industry-wide Engineering Excellence Collective™, an engineering leadership community.

September 25, 2023

Harness announced four new product modules on the Harness platform.

September 25, 2023

Sylabs announced the release of SingularityCE 4.0.

September 25, 2023

Timescale announced the launch of Timescale Vector, enabling developers to build production AI applications at scale with PostgreSQL.