Security Compass Releases Research Report: The State of Threat Modeling in 2021

79% of survey respondents identify threat modeling as a top priority in 2021, yet many organizations are still falling short in taking action or updating their approach

TORONTO – June 30, 2021 — Security Compass, developer of the industry’s first Balanced Development Automation (BDA) platform, today published the results of a new report, “The State of Threat Modeling in 2021.” The study was designed to provide a better understanding of the current state of threat modeling in mid-sized, $100M to $999M and large sized, $1B + enterprises, with a specific focus on the challenges organizations face in scaling threat modeling for the applications they build and deploy. Individuals directly involved in threat modeling efforts within their organizations provided insights on their companies’ approach as well as gaps and vulnerabilities.

The most pressing issue uncovered by the study was the growing priority of threat modeling for applications that companies build, coinciding with a belief that the majority or all of these efforts could be automated. Traditional threat modeling practices are historically slow, and hinder an organization’s goals of getting applications to market quickly. Additionally, over half of respondents reported issues when trying to integrate this essential process into their existing technologies. These shortcomings contributed to the finding that less than half of organizations feel very prepared for critical cybersecurity threats. There is a clear need for more scalability and automation in threat modeling to balance rapid software development with secure software development.

Key Findings Include:

Current Performance on Threat Modeling Approaches

  • Only 25% of survey participants indicate their organizations conduct threat modeling during the early phases of software development requirements gathering and design, before proceeding with application development.
  • Less than 10% report their organizations perform threat modeling on 90% or more of the applications they develop. Most commonly, organizations test between 50-74% of their applications.

Lack of Automation 

  • Over 60% of organizations believe that all aspects of their organization’s threat modeling could be fully automated, yet only 28% have reached that threshold.
  • More than half of organizations face challenges in automating and integrating their threat modeling activities with other technologies, with 41% of respondents expressing that it takes too long.

Impact of COVID-19 & Supply Chain Vulnerability

  • Over 80% of organizations had to make moderate to significant changes to their cybersecurity approach as a result of COVID-19.
  • Supply chains may be particularly vulnerable, with more than 84% of organizations reporting making cybersecurity changes because of supply chain vulnerability. However, 31% of companies do threat modeling on less than half the applications they develop associated with their supply chain.

“Software is being used in almost every aspect of everyday life, making it essential for organizations to be equipped with the necessary resources to perform timely threat modeling on the applications that they develop and deploy,” said Rohit Sethi, CEO, Security Compass. “Threat modeling ensures that vulnerabilities are recognized and remediated before they become a problem. Security Compass is hopeful that by providing the industry with detailed insights into the state of threat modeling, more organizations will self-assess, identify areas where they can automate and improve their existing approach to threat modeling, and ultimately improve their overall security posture.”

Security Compass’ expertise is supported by recent industry award recognition, including being named a Gold Winner for Threat Modeling in two 2021 awards programs: the Globe Cyber Security Excellence Awards and the Cybersecurity Excellence Awards. Additional recognition in 2021 by the Cyber Defense Magazine (CDM) Global Infosec Awards, and the 2021 CyberTech 100 list, highlight Security Compass’ continued innovation in application security, DevSecOps and compliance, as well as the company’s dedication to helping organizations defend themselves against today’s threat landscape without compromising time to market.

For more information, and to view the full State of Threat Modeling in 2021 Report, click here.

About the Survey
Security Compass commissioned Golfdale Consulting to conduct this survey research project. The survey was conducted online from May 10, 2021 through May 23, 2021 with 213 respondents (75% U.S. and 25% UK). Companies represented were required to have engineering teams of over 100 FTE who developed custom software, and survey respondents themselves were from relevant key functional areas including: cyber/information security, product management, software development/DevOps, compliance or risk management, audit and accounting/finance.