What is threat modeling?

Threat modeling is an activity most of us incorporate in our daily life. For instance, a commuter might wonder what his action would be if his train is delayed, which leads to him missing his flight. Threat modeling is a process that helps us identify potential threats. Obviously, it also allows us to analyze the imposed risks and introduce mitigation strategies. At its core threat modeling answers four key questions:

  • Where am I most vulnerable to attack?
  • What are the most relevant threats?
  • What should I do to safeguard against these threats?

Threat modeling prioritizes a journey of understanding security over a fixed snapshot (such as pen testing).

Why threat modeling?

100% security doesn’t exist. Security is difficult if not impossible to objectively quantify as opposed to e.g., code coverage in testing. Hence, it is challenging to answer the question how much investment in security is enough or necessary. Threat modeling provides a list of the most essential concerns. It can also provide an approximated cost for fixing them.

How does it work?

Threat modeling is a team exercise, including architects, engineers, security champions and testers. We organize an initial threat modeling workshop for all the stakeholders at your organization. After the initial training we will organize a number of time-boxed workshops. Together we will create a model of your system. Based on this model we will start eliciting threats, assess their risk level and look into possible mitigation strategies.

What do you get?

The result of the threat modeling is a helicopter view of the security state-of-the-practice in the context of your software system. Threat modeling provides amongst others a list of threats, their likelihood, impact, risk, and mitigation strategy.

As opposed to pen testing that provides a largely loose snapshot of your security posture, threat modeling is a first step in helping your organization introduce a culture of finding and fixing threats in a more autonomous manner. Threat modeling is also focused on uncovering design-level errors as opposed to a list of security bugs presented by the pen-testers.