Building functional and secure software is a challenge for all organizations, irrespective of their size. Because development teams are typically judged on functional performance and delivery milestones, security was traditionally “outsourced” to separate security teams and testing regimens.
Smart organizations understand that taking a proactive approach to security and providing engineering with the tools and responsibility for building secure software is more effective. This has led to organizations creating and adopting security coding best practices. Software development that leverages internal security policies and best practices is more secure and simpler to maintain. When followed, security best practices ensure that controls are identified and implemented for common threats.
Likewise, threat modeling can identify issues that can be addressed at the earliest point of the development process. This, too, lowers risk by identifying controls for developers and operational security.
So why are threat modeling and security best practices not a part of every software development process? For threat modeling, the reason is that traditional, manual threat modeling is resource-intensive. For security best practices, it is challenging to ensure compliance because mapping best practices into actionable controls for each application and threat can be difficult.
Threat modeling is an exercise that identifies threats across several environments, including technological threats based on the frameworks, languages, and software products underlying the application. It also identifies environmental threats inherent in the deployment environment, and operational threats resulting from failure of internally or externally mandated policies and procedures. An effective threat model has two distinct parts; threat identification and threat controls.
Threats can be identified and enumerated in many ways. Technological and environmental threats based on the technical stack and deployment environment comprise the majority of threats. Itemizing these threats can be automated as they are independent of threat boundaries and specific threat actors. Automating technological and environmental threat identification has the added benefit of scalability, making it possible to apply threat modeling to a much larger portion of an organization’s application inventory.
Assuring Best Practices in Threat Controls
While identifying threats is a necessary first step, identifying, selecting, and implementing controls to mitigate risk from those threats is what makes software secure. In mature organizations these controls are consistent across all projects and reduced to secure coding best practices; specific actions required of development and security teams to ensure more secure software.
Validating Best Practices and Enforcing Controls
Once secure coding best practices are established organizations need a way to test for proper implementation of the policies. These “validation activities” should be mapped to each control to ensure that each is implemented according to an organization’s security policies. Ideally, this includes test plans for QA or security to ensure controls are in place and support the separation of duties.
Validation activities must also be traceable. Auditors, whether internal or external, require evidence of compliance with policies and requirements. Spreadsheets don’t help organizations determine which best practices are in-scope, are difficult to update for each policy change, and provide unreliable substantiation in the event of an audit.
Establishing and following best practices replaces >ad hoc controls developed by security and engineering on a case-by-case basis. Best practices provide consistency, making certain that an identified threat is mitigated the same way from application to application and from month to month.
To learn more about modern threat modeling for enterprise security register for our upcoming webinar “Modern Best Practices to Accelerate your Threat Modeling for Enterprise Security”.