We have already seen what is meant by basic ‘Threat Modeling‘ in an earlier post… let us now see what is meant by Automated Threat Modeling and the need for it in this post…
To recall, ‘Threat Modeling’ is a proactive approach and it involves finding threats and vulnerabilities as early as possible in systems to protect them in the long run.
With automatic transmission cars, automatic faucets and so much of the world becoming more and more automated, why not ‘Threat Modeling’ too?
Why Automated Threat Modeling?
- The traditional automated threat modeling approach is extremely cumbersome and lengthy
- Traditional threat modeling is expensive as well
- It requires specialized talent(like having a keen eye to sniff out weaknesses and special training to do the same)
- There are a huge number of tools and methodologies and one has to learn and understand what is best for them
- There is a possibility that not all stakeholders will opt for threat modeling as a required activity as it is lengthy and expensive
All these reasons motivated the creation of the ‘Threat Modeling with/as code’ concept. By automating threat modeling we reduce the pressure on the development and security teams.
There are numerous tools to do ‘Threat Modeling with/as code’. Some of them are:
- Pytm
- Threatspec
- ThreatPlaybook
- PlantUML
We have already seen ‘Pytm‘ in another post which is an example of ‘Threat Modeling with code’. In manual threat modeling, data flows have to mapped manually, attack trees have to be drawn, which itself is an elaborate and time consuming process. Based on these, threats will be prioritized and mitigation measures will be suggested. This is a long process and in this age of “instant everything”, requirements might have changed by the time the threat report is generated. This necessitates the need for automated threat modeling tools.
With automated threat modeling tools like Pytm or Threatspec or Threagile, the entire threat modeling process can be automated and threat reports are quickly generated. Different tools use different ways to automate the threat modeling process.
This post is a part of Blogchatter Half Marathon 2023