In the pursuit of studying the AppSec person and program in the wild, today’s research unpacks the voluntary mandatory debate on threat modeling.
Different organizations take different approaches to implementing threat modeling. This is a crucial decision in the life of the AppSec program. The existing engineering and organizational culture have a definite impact on the choice. It is best not to cross the culture with this decision, as that will likely spell defeat for your new undertaking from the beginning.
A LinkedIn poll suggests that most respondents approach threat modeling as voluntary but encouraged.
The Mandatory Approach
Some make threat modeling a mandatory gate and prevent developers from moving a new feature into production if threat modeling is not performed. The status of the threat model is monitored in some way, and if the model has not been uploaded or attached to a ticket, the feature cannot progress through the pipeline.
The mandatory approach requires a clear and concise process. As you are forcing teams to perform threat modeling, they will push back heavily if you do not clearly define what it is they must complete.
Strengths of mandatory
- Whatever you decree is unilaterally applied to all features.
- Because everything is being threat modeled, you must expand the creation of the models to developers and the product adjacent.
Weaknesses of mandatory
- If the team is forced to perform a threat model, they may consider it a compliance artifact and put little effort into it.
- The volume of threat models makes governance and review more difficult.
The Voluntary Approach
The other side of the coin is voluntary, where threat modeling is encouraged but does not act as a blocker for a new feature. With voluntary, developers and product adjacent may represent your security champions, with an existing passion and drive for security.
Strengths of voluntary
- Those that threat model have a desire to threat model.
- Models will be of higher quality because voluntary effort is applied.
Weaknesses of voluntary
- Threat models may not be completed for crucial features.
- Security vulnerabilities resulting from design issues could slip into production with no consideration.
Not doing threat modeling at all.
Eight percent of respondents from the survey admitted to not doing any threat modeling. Yet, threat modeling is valuable and returns much more value than it requires. Gaining a culture where developers and product adjacent understand and think about security is priceless.
- Saving resources and limiting disagreements about workload between security and engineering.
- Missing out on design-related issues can translate into vulnerabilities in production.
- Design-related issues could be at the subsystem level (think authentication or authorization), resulting in total system/application compromise.
The Hybrid Approach
The Hybrid Approach was uncovered and shared by Julie Davila, CTO, Federal at Sophos, on the poll. She described the Sophos threat modeling approach as initially mandatory but only a gate if the new code or integration warrants it.
Sophos focuses on empowering engineering teams via security champions to do much triaging and “0 to 80” work for scale. The AppSec team is generally involved with every “first” threat model, and then teams are expected to update this autonomously with the ability to phone for help if needed. The engineering leaders endorse the shared responsibility model and are not purely bottoms-up.
No matter what, threat modeling with every code or infrastructure change isn’t good or ideal, according to Julie. The reasons to update, broadly speaking, include:
- New data flow (having a solid data flow diagram is essential)
- New infrastructure (e.g., an app suddenly starts using AWS SNS)
- Changes to the type of data going through a system (e.g., a new feature introduces customer PII data)
- Changes to encryption
- Changes to prior assumptions surrounding a security framework, centralized logging, etc
After considering the options on the poll, the best path forward for an organization is the hybrid approach. Hybrid defines the best of both, allowing the necessary threat modeling control for new features, but also does not push the product teams into threat modeling as busy work. Therefore, hybrid threat modeling is the best path forward for your application security program.