Penetration Testing and Threat Modeling - a unified approach to security
To start, let’s just re-cap what they both are. Then we will dive into whether they complement each other, do you need to threat model if you're already pen testing, and ultimately, should they coexist as two security techniques?
What are these two approaches to security?
Threat modeling is a repeatable way of assessing the security of your architecture, quantifying your level/ likelihood of risk, and concluding with actionable countermeasures to mitigate those risks. If you’d like to learn more, you can review this blog ‘What is threat modeling?’
Pen testing has been defined by our valued partner, Black Duck, as an authorized simulated attack performed on a computer system to evaluate its security. Penetration testers use the same tools, techniques, and processes as attackers to find and demonstrate the business impacts of weaknesses in a system. They can examine whether a system is robust enough to withstand attacks. You can find out more here ‘What is penetration testing?’
We already pen test successfully - why should we threat model?
Penetration testing is a valuable security investment, especially as these tests can highlight weaknesses that would have otherwise been missed. If you have your own ‘Red Team’ in house, then you can provide a timely and clear scope for the activities to be undertaken. The problem is, penetration testing doesn’t come cheap - and you can argue why should it? - The Ethical Hackers often doing the pen test are highly experienced and very skilled in what they do - and more often this is an outsourced speciality.
Pen testing is not easily implemented as a repeatable process. It heavily depends on the provider, lacks a one-size-fits-all methodology, and can vary based on the experience and skills of the analyst performing the assessment—pen testing, after all, is also an art.
In an ideal world, you will still have your penetration tests, but reduce the amount of tests required. In addition, if you have performed threat modeling first, the result should be successful tests with no further action. By threat modeling your app, service, or architecture, you minimize the number of flaws, weaknesses and therefore vulnerabilities that could otherwise find their way into your final product. Resulting in a secure by design application, and streamlined penetration tests, with a higher success rate. After all, 50% of software vulnerabilities are flaws at the design stage and it is 100x more expensive to fix these flaws in production. Why wait, when you can mitigate this problem at the very beginning, with threat modeling?
If we threat model, can penetration testing be removed?
No, keep it! Testing your systems robustness to various attacks and exploits remains an extremely worthwhile activity. It allows you to test specific scenarios or attack types to simulate the results if it really happened. Being aware of the security of your products and having some peace of mind that the simulated attacks weren’t successful, is useful for security teams and C-Level management. Without penetration testing, your security strategy can remain theoretical, rather than finding out in practice. The OWASP Foundation has a framework you can read and adopt with additional information here ‘The OWASP Testing Framework - Penetration Testing Methodologies.’
Threat modeling can help pen testers gain a better understanding of the system or application being tested - as there can be challenges in getting the full information of what is being tested. Equally, any out-of-scope risks must be defined from the outset - the last thing you need is a pen testing team wasting effort on those if you haven’t been explicit at the beginning.
Threat modeling results inform the types of activities that need to be conducted during a penetration test, which is helpful for limited resources and budgets to carry out this activity. Penetration tests vary depending on the test being undertaken, whether it is billed on a day rate and so on, but it can cost $15-20k per pen test. Smaller organizations simply won’t have the budget to red team all of the potential scenarios. Threat modeling streamlines this important activity while giving a full 360 view of the Software Development Lifecycle (SDLC).
The benefits of a threat modeling and penetration testing approach
If you have a threat modeling process in place, you are introducing a proactive security strategy, and not just reactive in terms of responding to security events that arise and require attention. As mentioned earlier, it ensures businesses develop applications and services which are secure by design.
Once the threat model is deemed completed (bear in mind it should be a live threat model and revisited at a later date to assess new potential attack vectors and threats), pen testing verifies the effectiveness of mitigation strategies carried out during threat modeling, and whether security controls are working as expected. Thus providing a helpful feedback loop created by the testing results. Finally, it addresses the fourth question from Adam Shostack. ‘Did we do a good job?’ allowing a thorough assessment and ongoing enhancements to the organization's overall security posture.
How can this work in practice in IriusRisk?
In our Threat Modeling Tool, the results of certain tests can also be recorded within the threat model, which will naturally impact and change the overall risk rating. Giving a full audit trail of the design, through to penetration testing and release. We allow all users to export the full threat model and reports too, to better inform your pen testing activities.
Learn more
If you’d like to learn more about the benefits of penetration testing, our partner, Toreon, has summarized it well in this useful blog ‘7 Advantages to Penetration Testing.’
And if you are curious to hear how we support companies of all different types with their threat modeling journey, see our platform page, or get in touch with us for a no obligation demo.
