All eyes are on you.
The moment you’ve been waiting for has arrived. You’ve convinced your boss that threat modeling warrants consideration. Now it’s time to convince everyone else.
Bosses three levels up the chain, including the VP of engineering, are waiting for you to begin. You feel the piercing stares in the pit of your stomach. What can you say to prove threat modeling makes sense in business, not technical, terms?
Cybersecurity spending is forecasted to exceed $124 billion dollars worldwide. Security is expensive and many security teams are asking for money. How does threat modeling measure up to the other security initiatives vying for budget?
Read this post and you’ll be ready to explain the benefits to anyone. Let’s review what reasons your executives have for investing in threat modeling.
Threat Modeling Produces Measurable Security
Everyone knows security is necessary. However, it’s difficult to quantify what having secure systems means or how it helps the bottom line, making budgeting decisions difficult.
Many business leaders suffer from a “we haven’t been hacked yet, so we’re okay” attitude. Doubtless Equifax felt the same way. We all know what happened to them.
In practical terms, however, the knowledge that a breach is possible is not enough to make real progress in your cybersecurity program. It’s difficult to measure how secure your systems are right now and where resources are needed to make them more secure in the future.
Threat modeling fills this gap. Continuous threat modeling provides a constant snapshot of the security posture of your applications. At any moment, you’ll know how vulnerable your applications are. You’ll see patterns pointing to architectural flaws that need extra attention.
A continuous snapshot of security gives fast feedback on how your current cybersecurity programs are helping to secure your applications. You know where to invest resources because you can pinpoint where the weak spots are.
Threat modeling measures the effectiveness of developer training. Development teams with similar issues popping up again and again can be retrained to eliminate fundamental flaws.
Your budget won’t be decided by the best middle management pitch, vendor pitch, or industry buzzword. Key security budget decisions are made using real data.
Threat Modeling Done Right Encourages Compliance
In heavily regulated industries, compliance is a non-negotiable part of the cybersecurity initiative. It’s often a constant struggle and remains in the back of everyone’s mind.
The only way to ensure compliance is to build it in from the start. Threat modeling done right points out exactly which architectures and features are required for compliance with certain regulations. Threat modeling ensures your design is compliant before any code is written.
Once the application is built right, with compliance in mind, you can feel confident during audit time. Your application can be built to enable the day-to-day processes that maintain compliance and provide proof.
When audit time comes, you’ll have everything ready to present to the auditor with the click of a button, saving huge expenses in time and effort.
Compliance-aware threat models encourage and simplify compliance. Use them.
Threat Modeling Saves You Money
Any business decision comes down to saving or making money (even compliance efforts are saving money by not getting fined).
Threat modeling saves money for the company, giving a tangible ROI in three ways.
You Spot Security Flaws When It’s Much Cheaper to Fix Them
You may be surprised at the relative cost of fixing bugs in certain phases of the software development life cycle. It’s quite staggering. A bug that could be fixed for next to nothing using threat modeling could cost you millions if found in production.
There are four main phases of software development: design, implementation, testing, and production (the finished product). Fixing bugs in the design phase is much cheaper than in the other phases.
It costs 6 times more money to fix flaws found in the implementation phase of software than the design phase. It costs 15 times more to fix bugs found in the testing phase.
It costs 100 times more to fix bugs found in production than those found in design. Let’s illustrate these differences.
Let’s say you have a traditional meeting for a threat modeling session with a software architect, 3 developers, a project manager, a security expert, and a compliance expert. The average hourly cost for these experts is $80 USD. If the meeting is 3 hours long, you’ve spent $1,680 USD to hold this meeting.
Let’s say you found 10 major problems with the architecture in those three hours. You’ve only spent $168 USD per bug to fix them. The beauty of the design phase is that there is no code to change yet.
Without the threat modeling meeting, you could find these 10 bugs in either implementation, testing, or production. What’s the cost if you did?
For the implementation phase, you’ll pay $1,008 per bug for a total of $10,080 to fix these bugs.
If found in the testing phase, you’ll pay $2,520 per bug for a total of $25,200 to fix the bugs.
If you find the bugs in production, you’ll now have to pay $16,800 per bug, for a whopping total of $168,000.
This growth rate is huge. For an application with one million lines of code, assuming 15 bugs per 1,000 lines of code (per the great book Code Complete), you’ll be looking at a total of 15,000 bugs. Using these numbers, the difference in cost between finding the bugs in design and production is $2,520,000 in design vs. $252,000,000 if found in production.
If you don’t find the bugs and they are exploited, resulting in a data breach, imagine the cost not only to fix the bug but in fines and lost revenue.
Is threat modeling worth the investment now?
You Use Your Money More Effectively
When budgeting time comes, everyone has the next best idea. Many middle managers vie for a piece of the budget pie to implement a pet project. Vendors are knocking down your door to get you to sign on the dotted line. How do you find the best way to allocate the limited money available?
Threat modeling gives you a constant snapshot of your current security posture. This snapshot allows you to send money where it’s needed most, not based on a slideshow or product demo, but based on real data.
A continuous threat modeling system allows you to see what weak spots exist in your applications. Development resources can be put toward reinforcing weak areas. Testing budgets, both internal testing and external penetration tests, can be focused on the most critical areas. Instead of spending huge amounts of money testing a rock solid design, test the areas of concern to flush out vulnerabilities before they cause real damage to your customers and company.
Money is a limited resource. Use threat modeling to allocate the right amounts toward the areas that need it the most. Use real data to make sound decisions, not buzzwords or manager presentations.
You Spot Architecture Problems Long Before They Become an Exploit
Coding errors are not the only source of bugs. Many come from the architecture of the software system itself. Poor design or mistakes in design can lead to major flaws that allow bad guys to bypass basic security measures.
Architecture flaws are also incredibly expensive to fix, since it is the software equivalent of fixing a foundation after the house has been built. You’ll be moving around so many parts that it’ll be difficult not to affect other pieces of the system in a negative way. And vulnerability scanning tools, like DAST and SAST tools, aren’t built to find fundamental flaws in architecture.
Threat modeling identifies major architectural problems before they lead to a security breach. Breaches will cost the company dearly in fines and damages, not including the work needed to fix what caused them (which we’ve already shown to be very expensive).
The bottom line: A few hours of threat modeling will likely save you thousands of dollars or more down the line.
Threat Modeling Doesn’t Have to Slow Down DevSecOps
One common objection to threat modeling is the time it takes to do it right. Many feel like they barely have the time to do their normal day-to-day work, let alone add threat modeling sessions on top of it.
We’ve demonstrated that the cost of sending a group of people to a threat modeling meeting is well worth it. And let’s face it, many people’s time is spent bogged down in pointless status meetings that add zero value to the company (but that’s a rant for another day).
However, threat modeling doesn’t have to be time-consuming. It can be worked into a DevSecOps process and bring you the benefits without slowing down development teams.
The Pareto principle will help make threat modeling reality in DevSecOps environments. There will be a trade-off between speed and accuracy. The longer you look at a design, the more flaws you’ll find. But you can’t look forever.
Spending 20% of your time to identify 70-80% of the flaws, however, could be a good balance for DevSecOps. Some time will be needed, but not so much that development grinds to a halt. You’ll be able to find the glaring flaws and fix them before the code hits production.
The right tools and integrations make security easier to track and easier to achieve. Developer-focused tools ensure development isn’t slowed down by introducing new processes.
Imagine a world where developers get tickets sent straight to the tools they use every day with improvements suggested by a comprehensive threat model. You could build a threat model, monitor progress toward fixing any issues, and do it all within the existing development workflow.
This world will give your developers the freedom to take on security fixes along with feature requests in a seamless stream of tickets. They’re not only fixing bugs but learning why they should be fixed and how. Security engineers can continually monitor those tickets to ensure they’re being closed in a timely manner.
Managers and executives can see at a glance which systems have implemented necessary compliance measures. They can see at a glance which systems are the highest risk for the company and act accordingly.
That’s the power of the right threat modeling tool. IriusRisk is that tool. Get in touch if you want your threat modeling to seamlessly integrate with your development workflow. Your security team, development team, and executives will thank you.
Use threat modeling to produce measurable security, build compliance in, and save loads of money. Use IriusRisk to do it without slowing down development.
The meeting with your bosses is not so scary anymore. As you sit down to a resounding round of applause, you feel satisfied. You just took your company’s security forward by leaps and bounds. Congratulations!