John Taylor
|
Information Security Leader
August 21, 2024

Building foundations for your threat modeling program

In a recent webinar, it was discussed what you need to build strong foundations for your threat modeling program. Several topics were discussed including: 

  • Processes
  • Training 
  • Support
  • Tooling
  • Resources (people)

You can see the webinar in full below, or read a roundup of the key takeaways in this blog. 

It's important to recognize that you don't need everything in place from day one to start building a threat modeling program. Depending on your organization, you might not need all the elements listed, even after a year or two. Think of it like an older Lego set—you can build whatever you want with it, not just what the instructions say. As we discuss the capabilities needed, remember that you don't have to have every element immediately or else you're not threat modeling properly.

Processes to run your threat modeling program

“We must understand how the team delivering threat modeling should operate to ensure consistency and a high level of quality.”

The process should be easy and clear, with a low entry barrier, allowing teams to experiment without the fear of failure. If something doesn’t work, it should be easy to adjust and try a new approach. Having support from someone experienced in threat modeling can also help sessions run smoothly.

After determining what you need, set up solid processes for future success. Make decisions for longer on how to run this program. Including considerations on what other teams may need. 

Training to support the initiative

“Learning to threat model and or use a threat modeling platform requires knowledge and experience. Programs must include a way to educate all of those participating in threat modeling. This includes all your stakeholders.”

Training is crucial to reduce the apprehension and fear of threat modeling. People might not have the security background, but they bring valuable knowledge of the systems they design. The training should include clear instructions and support for those new to threat modeling, making them feel comfortable and confident.

When it comes to training, it’s beneficial to separate the cognitive load of learning the threat modeling process from mastering the tools used. In-house training programs are valuable because they can include specific examples from your organization, such as past security incidents. Analyzing these incidents can help you understand what was missing in your secure development lifecycle and incorporate those lessons into your training.

Gaining support for threat modeling success 

“When your journey begins, support is essential for success. There are bumpy roads ahead and being ready to support teams goes a long way to smooth out the road. Support comes in many ways.”

It isn't always clear where to begin, so consider how to communicate with people and what information and support they may need. Perhaps you can consider a channel such as Slack, Microsoft Teams and similar, or team-focused webinars and playbooks with key data they will benefit from. Considering Security Champions is worthwhile too, as they can really support you through the program roll out. Here is a useful resource about Security Champions.

Tooling to enhance threat modeling - do you need it?

“Threat Model tools can complement your process, accelerate your delivery, provide consistency and quality. In my opinion learning to do this manually first goes a long way to making you a better threat modeler, but not for everyone.”

Whether to choose a tool or not is up to you but it becomes a factor to consider in your program. Tooling impacts your training, support, process and resources. There are many good reasons to have tools that a program will benefit from. Know what you need beforehand and if you are happy with an open source free tool, or even a manual approach, then all of these are viable options too. If you are unsure where to start, we created this blog with 11 Threat Modeling Tools.

Resources - you need people to succeed

“We are under constant restraints with resource allocation. Threat modeling is no different but there are ways to address resources.”

Often you will have a very low number of people - unless you are very fortunate! In the webinar we held, the majority said they either had no spare resource or 1 - 5 people that can support the threat modeling program. Starting small is still a great place to start. And ensure you keep it simple for anyone to pick up and where possible link it back to other work they may already be doing. Other options include professional services and consultancy - or go back to the Security Champion approach -here is a Guide we created to get you started

Key takeaways

For strong program foundations, you can remember the following: 

  1. Defined program processes by the threat modeling team and the external people that are threat modeling. Consistency and quality are key
  2. Get training built into your program. There are many ways to deliver training choose what you can do and deliver successfully in your organization
  3. Have support ready for those threat modeling. You have to be there for success
  4. Consider tooling when and where appropriate
  5. Determine your resource needs based on your program requirements
  6. Keep it simple and start threat modeling 

Still need support? Take a look at the upcoming session on ‘Driving Adoption’ and register your place here to look at the next step of building your program.