History of Threat modeling
What has the history of threat modeling been?
Threat modeling has been done in several forms for years, you just need to ask Adam Shostack about his work at Microsoft and beyond - he now dedicates his career, and business to threat modeling and has written multiple publications about it. We as IriusRIsk are a threat modeling company, with a team of experienced and capable people that have been dedicated to building a world-class product, to support customers with rolling out their programs. Below is a roundup of activity we have seen in recent years.
In 2016 we created a free-forever version of our threat modeling tool - Community Edition - to make it accessible to all. It is now the largest free tool out there with over 14,000 users (as of November 2024). In addition, there are lots of other free and open source tools out there getting used to automate threat modeling. Several of them we list in this blog; 11 Recommended Threat Modeling Tools. This includes OWASP Threat Dragon, and Microsoft Threat Modeling Tool plus many others.
In November 2020, the Threat Modeling Manifesto was formed, with lots of well known threat modeling subject matter experts (SME) included as co-authors - including Adam Shostack, plus our very own Stephen de Vries (CEO), and Fraser Scott (Chief Scientist). This acts as a guiding set of principles and resources for companies to get started.
In 2021, OWASP listed Insecure Design, as number four in its Top Ten. It states ‘A04:2021-Insecure Design is a new category for 2021, with a focus on risks related to design flaws. If we genuinely want to "move left" as an industry, we need more threat modeling, secure design patterns and principles, and reference architectures. An insecure design cannot be fixed by a perfect implementation as by definition, needed security controls were never created to defend against specific attacks.’ At IriusRisk, we also doubled our headcount compared to the previous year.
In 2022, IriusRisk founded a new global (and agnostic) threat modeling community, called Threat Modeling Connect. It is aimed at sharing education and information to the world, on the best practice for threat modeling. It has since grown to over 4,000 members.
In 2023 Threat Modeling Connect had its first global event sold out in Washington DC for ThreatModCon. Which saw 140 people involved from 15 countries.
In 2024, not only has IriusRisk seen a 50% growth since the previous financial year, but we held the first European ThreatModCon in Lisbon, and the second ThreatModCon in America, this time in San Francisco. With speakers and participants coming in from across the globe, such as Japan, Australia and India. Both events sold out and even extended to partner participation and sponsorships from Toreon, ArmorCode, Shostack + Associates, and Agile Stationery.
What does legislation say about threat modeling?
Many publications and frameworks are now mandating or at least recommending threat modeling as an activity. Below are some examples from 2018 to 2023.
Singapore’s 2018 Cybersecurity Act indirectly makes it a criminal offense not to perform cybersecurity risk assessments which include threat modeling, on computers and systems that have been designated by the Cybersecurity Agency (CSA) as Critical Information Infrastructure (CII). Read more here.
The National Institute of Science and Technology released the Secure Software Development Framework guidance (SSDF 1.1) and related Software Supply Chain Security Guidance in 2022. It is stated specifically within the guidelines under Control Ref SA-8, Section PW.1.1 - that some form of Risk Modeling (including Threat Modeling) must be done to assess the security risk for software and must comply with a variety of standards - including NIST CSF, IEC62443, ASVA, NIST 800-53 and many others.. Find full details here.
In May 2022, the Office of Management and Budget (OMB) stated that all Federal Agencies and their relevant software suppliers must demonstrate compliance with SSDF 1.1.
As of May 2023, FedRAMP officially approved and adopted the Rev. 5 baselines – aligning with the National Institute of Standards and Technology Special Publication 800-53 (NIST 800-53) Rev. 5 baselines that went into effect in September of 2021.
The practice of threat modeling is recommended within the NIST SP 800-53 Rev. 5. It is discussed in several following areas of the publication, including a specific chapter (SA-11) exclusively for threat modeling and vulnerability analysis - ‘Require the developer of the system, system component, or system service to perform threat modeling and vulnerability analyses during development and the subsequent testing and evaluation of the system, component, or service..’
The Federal Information Security Management Act (FISMA) also stipulates that the NIST 800 series is to be followed. It does not require an agency to implement every single control but to implement the controls relevant to their organization and systems.
What is the perception of threat modeling?
The history of threat modeling has been a long one, and to successfully roll out a program with automated tooling is not an overnight activity. This can lead to resistance for some organizations to begin automating existing processes, especially when the perception is that it will not save much time or money. In reality, threat modeling can save a vast amount of money for businesses refining penetration testing requirements, identifying flaws earlier on, and releasing more secure products with no need to go back and fix in production. A huge amount can be saved in time, remediation effort and resources when implementing threat modeling. But the key is education and guidance to make it successful.
OWASP
In the OWASP Threat Modeling Chapter, author Victoria Drake says the following: “Done right, threat modeling provides a clear “line of sight” across a project that justifies security efforts. The threat model allows security decisions to be made rationally, with all the information on the table. The threat modeling process naturally produces an assurance argument that can be used to explain and defend the security of an application. An assurance argument starts with a few high level claims, and justifies them with either subclaims or evidence.”
Here is one thread we found asking about threat modeling advice, and why it should be done: https://www.reddit.com/r/cybersecurity/comments/1cqlewo/thoughts_on_threat_modeling/
IriusRisk
Here are some snippets from recent customers on their view and experience of threat modeling:
“The main point of threat modeling is to highlight some of those issues that could occur and to put mitigating controls prior to them ever being an issue in the code. It's much cheaper to find those issues at the beginning.” - Software Sales Company
“With IriusRisk, we’ve been able to carry on our threat modeling practices across our existing products with much greater ease - to the point where it is now a systematic process which alleviates any SPOC bottlenecks that we used to have.” - Axway
“We had been using Miro, OWASP Threat Dragon and some people were using Microsoft Threat Modeling Tool. But we found they were too basic for what we needed and scalability was a problem”. - ClearBank
“...as time goes on, we have seen product teams’ security awareness increase, and by applying their learnings from the IriusRisk Threat Model, they are considering security much earlier in the design process.” Raiffeisen Bank International
“We have transitioned from reactive to proactive, where we can actually engage with the teams and continuously improve their development workflow through automation. IriusRisk has been a big part of that. Everyone has this common understanding of what threat modeling is all about and why security is important.” - ClearBank
Threat modeling in summary
In the last 3-5 years, threat modeling usage and understanding has grown. Governments and associations have begun recommending and even mandating threat modeling as an activity to support secure software, and risk management initiatives. It is a structured process, but one that can flex based on the industry, the product being threat modeled, and the preferred threat modeling methodology being adopted. If you are interested to learn more, sign up to our freemium threat modeling tool,Community Edition, or take a look at our eBooks and Guides.
