Table of Contents
There are 5 key challenges for threat modelling in 2023. Has your organization run up against them yet?
In a 2019 survey, 42% of organizations that had experienced an external attack blamed the incident on a software security flaw. In 2023, that statistic has risen to over 50%.
So how can teams overcome these challenges? Let's explore:
Firstly, What is Threat Modelling?
Software development teams know the importance of implementing “security by design” from the early stages of the SDLC. This approach, radically different from the security as an afterthought approach practiced earlier, focuses on proactively preventing cybersecurity breaches, rather than reactively remediating them, thus enabling dev teams to create secure software from the outset. One of the most effective ways to leverage the security-by-design approach early in the SDLC is threat modelling.
Threat modelling involves systematically analyzing, from an attacker’s perspective, any potential threats to the org’s applications, systems, or other assets like confidential data or intellectual property. In fact, continuous and consistent threat modelling using a model like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privileges) or PASTA (Process for Attack Simulation and Threat Analysis) are both efficient ways to strengthen any organization's DevSecOps culture, drive effective security measures, and lower remediation costs.
Even so, many organizations face challenges in implementing it in practice. Here are five of the most common.
#1: Threat Modelling Process Saturation
Numerous threat modelling processes are available, frequently leading to confusion, especially for teams lacking an experienced security expert. This makes it difficult to judge the various processes and select the right one to drive cyber defence priorities.
The wrong choice can lead to inadequate or inappropriate cybersecurity investment. Equally worrying, it may lead to overconfidence in the organization’s security posture and risk mitigation capabilities, which increases its vulnerability to attacks.
Some teams also struggle to validate their threat model. When they don’t know how to effectively mitigate the threats they find, threats are left unaddressed, once again increasing the risk of attack. Process saturation is a particularly common hurdle for SMBs who may have more limited in-house resources.
#2: Non-Monolithic Applications
Threat modelling is more accessible for simple, monolithic applications when there is little reliance on external entities, or when a consumable view of the computing ecosystem is available. But today’s applications are anything but simple.
As they’re scaled up and migrated to the cloud, the application team is often responsible for full-stack management. This is a complete departure from previous legacy deployments, where IT completely managed the application’s physical servers and networking infrastructure.
The threat model must account for these additional infrastructure-related responsibilities, scope changes, expanded topologies, and associated risks, which is not always easy for a Dev team to do.
#3: Unrecognized Entry Points and Trust Boundaries
Another of the most common challenges for threat modelling in 2023 is unrecognized entry points and trust boundaries.
With most cloud service providers, including popular ones like Amazon Web Services, many entry points are not recognized. These include publicly-exposed management APIs and services.
This means many entry points can be accessed from the Internet, including API gateways that allow cross-account invokes, Lambda functions that bad actors can invoke with Invoke IAM permission, S3 buckets with public endpoints, and attackers that can directly inject malicious events into the SQS event queue.
Consequently, the Data Flow Diagrams (DFDs) and Process Flow Diagrams (PFDs) used to model threats, and better understand how bad actors can gain access to an asset, are significantly more complex than they would be with known entry points.
#4: The Abuse of Authentication Tokens
An attacker who possesses a properly-permissioned authentication token can easily threaten a cloud service provider’s publicly exposed control plane. For example, in AWS, temporary authentication tokens are transferable and can be used outside the application environment.
An information leak can expose an authenticated session token to bypass security safeguards and mitigating controls, and provide a threat actor access to something they shouldn’t be able to access otherwise.
Thus, what was once considered a “low-risk” information leak now carries a higher severity, requiring appropriate representation and analysis in the org’s threat model.
#5: Difficulties in Predicting Risk
Last but not least on our list of challenges for threat modelling is risk-predicting difficulties.
Even for the most well-equipped team, it can be challenging to determine high-level threats and break them into sub-threats that can be more easily addressed. Another challenging aspect is identifying the failure conditions that could lead to the realization of these threats. An understanding of these conditions can provide a deeper understanding of the likelihood and criticality of the threat and also support the organization's risk mitigation efforts.
A completed threat model should support risk mitigation, and provide the proper framework and techniques for robust application security testing, so the team can more effectively predict possible attack scenarios.
Over 70% of security vulnerabilities exist at the application layer. Due to this, threat modelling provides an effective way to lower the probability that they could compromise an organization's security posture.
Make threat modelling an invaluable part of your organization’s DevSecOps culture by getting your free, zero-obligation quote from our ethical hacking team here at Packetlabs.