A recent study from Security Compass found just 25% of organizations surveyed conduct threat modeling during the early phases of software development—requirements gathering and design—before proceeding with application development.

Key findings include:

  • Current Performance on Threat Modeling Approaches
    • Only 25% of survey participants indicate their organizations conduct threat modeling during the early phases of software development requirements gathering and design, before proceeding with application development.
    • Less than 10% report their organizations perform threat modeling on 90% or more of the applications they develop. Most commonly, organizations test between 50-74% of their applications.
  • Lack of Automation
    • Over 60% of organizations believe that all aspects of thei organization's threat modeling could be fully automated, yet only 28% have reached that threshold.
    • More than half of organizations face challenges in automating and integrating their threat modeling activities with other technologies, with 41% of respondents expressing that it takes too long.
  • Impact of COVID-19 & Supply Chain Vulnerability
    • Over 80% of organizations had to make moderate to significant changes to their cybersecurity approach as a result of COVID-19.
    • Supply chains may be particularly vulnerable, with more than 84% of organizations reporting making cybersecurity changes because of supply chain vulnerability. However, 31% of companies do threat modeling on less than half the applications they develop associated with their supply chain.

According to Sounil Yu, Chief Information Security Officer at JupiterOne, a Morrisville, North Carolina-based provider of cyber asset management and governance solutions, "Threat modeling is a foundational engineering practice that helps build security into an application from the beginning. This is an activity that should be embraced by the developers and facilitated by the security team when needed. The practice of threat modeling is essentially a planning activity that uses a structured methodology to ensure that requirements are understood and unexpected conditions are addressed. To maximize the use of limited resources, security teams should partner with those on the development team that focus on planning and requirements (e.g., agile coaches, scrum masters, etc…) to ensure that they can walk through the threat modeling steps as a normal part of their sprint planning processes."

Threat modeling itself would be difficult to automate since it requires a level of planning, thought, and ingenuity that machines cannot easily replicate, Yu explains. "However, there are many tools that can assist practitioners in building a threat model and one can automate the creation of a toll gate in one's software development lifecycle to ensure that threat modeling artifacts are produced and captured."

Though threat modeling has always been important, few actually practice it, says Chris Morales, Chief Information Security Officer at Netenrich, a San Jose, Calif.-based Resolution Intelligence provider.  "That is because it takes a level of understanding of how attacks function and relate to the attack surface that few individuals have the time or knowledge to perform. Moving forward, we need to move to operational models that allow for a lightweight form of modeling to understand current security posture against threats in the wild actively targeting an organizations resources. Doing so means automating as much as possible to enable constant output that provides situational awareness to all parts of the organization. Not just the SecOps or DevOps team."