DevSecOps Threat Modeling
by Marisa Vesel, on Sep 18, 2019 11:00:00 AM
Security vulnerabilities are a major problem that organizations cannot afford to ignore. Nevertheless, too many still think of security as mostly an Operations issue. Against that backdrop, installing a culture of end-to-end security awareness for both the Development and Operations teams is not easy. But failing to do so means playing catch-up (and clean-up) with the disastrous results of security vulnerabilities later on.
There is a need to integrate processes into an organization’s development and operations teams that will prioritize ongoing security awareness throughout the application lifecycle.
DevSecOps threat modeling is an organizational culture that ensures security is a consideration from the beginning stages of development. Organizations can use DevSecOps to build more secure applications without causing a lot of friction in their build and deploy process.
What is Threat Modeling
Threat modeling is looking at applications through the lens of an attacker to find and highlight security weaknesses that could be exploited. By identifying potential threats throughout the software development lifecycle, security becomes a priority instead of an afterthought, saving security and development teams time and money. This helps security become part of the culture, creating the foundations of a DevSecOps work environment. Additionally, threat modeling helps teams better understand and learn each other’s roles, objectives, and pain points, which helps create a more understanding and collaborative organization.
After threats have been identified, both security and development teams can begin thinking about ways that the vulnerabilities can be fixed before the application ever goes live. Changes can be made to the build early on in the development process, while that knowledge is applied to future applications to decrease the number of vulnerabilities.
Why is Threat Modeling Important
Threat modeling is important for a number of reasons. First off, by continuously threat modeling applications, security teams can better protect systems and applications while educating the Development team and building a culture of security throughout the organization. Fixing vulnerabilities in an application is much easier to do so at the beginning of the development lifecycle than at the end.
Additionally, identifying threats at the beginning of the lifecycle is cost-effective. Rather than having to spend a lot of time and money cleaning up damage from hackers, the vulnerabilities are already eliminated before the application goes to production.
Finally, threat modeling improves communication between Security and Development teams. Threat modeling can act as a foundation for integrating a DevSecOps culture in the workplace. A DevSecOps culture helps increase collaboration between the Development, Security, and Operation teams. This ensures more transparency within the development process and leads to higher quality and more secure applications.
How to Get Started with Threat Modeling
When getting started with threat modeling, it is important to examine the features that are being built and to understand what type of information and access are included or handled in the build. Then, the build should be looked at through the “eyes” of an attacker to identify what kinds of attacks, leaks, or vulnerabilities could be made against what’s being developed. The security impact of each design decision should be considered.
After identifying these weaknesses, Development and Security teams should think about what action can be taken to protect what is being developed against possible attacks. Ideally, the weaknesses should be fixed, and the final design will protect the confidentiality and integrity of the data.
To measure efficacy, track the number of issues detected and fixed prior to committing code and ensure developers can pinpoint known security weaknesses. In addition, require threat model as a step in the application deployment process. This ensures it remains part of the development lifecycle.
Increase Safety by Adopting DevSecOps
Threat modeling is an important part of the software development lifecycle. It helps protect sensitive data within applications while increasing the communication and collaboration between the security, development, and operations teams. It’s not always easy to implement, but there are great returns for doing so properly.
To streamline your application lifecycle and aid your transition to DevSecOps, check out Inedo DevOps tools. They empower you to maximize developer time, minimize release risk, and empower stakeholders to bring their vision to life faster. All with the people and technology you have right now.