In the video linked below, I am joined by two cybersecurity experts from Ford Motor Company. We discuss the value that threat modeling can bring to DevSecOps by moving things left (forward/sooner). During the discussion, I mention drawing a picture of the process under review; this is explained in more detail in my post about creating a data flow diagram (click here).
Threat modeling is the process of:
- identifying potential threats
- enumerating the risks and consequences if the threat leads to a vulnerability
- that then leads to an exploit.
Like all modeling, there are multiple methods of deriving and categorizing these risks. I often use Confidentiality, Integrity, and Availability (CIA).
To identify bugs as early in the lifecycle as possible (shift left), threat modeling is an invaluable tool as it is employed early in the design phase before any code is written. With the potential threats and associated risks enumerated, architects and developers can address them during development instead of after. Infrastructure engineers can also put in compensating controls that lessen the likelihood of a vulnerability being exploited and/or lessen the impact of an exploit.
It is generally understood that shifting left is an important way of controlling software costs and producing higher quality. Threat modeling is yet another tool for the toolbox.