Here is the heart of the Community. Come and get to know our community members!
Do You Want Easy Threat Models or Effective Threat Models?Blog
Imagine you’re a developer in the middle of your current two-week sprint. You’re under a lot of pressure and working long days when the application architect tells you that you need to threat model your design. You may not have a lot of threat modeling experience. At that moment you probably see threat modeling as more of a hurdle to get over than a way of developing secure code. You’re probably thinking to yourself, what’s the easiest way to “check this box”? When it comes to threat modeling an application, you have a lot of options, and some of them are as simple as answering a list of questions. And if your goal is to just check the box, that’s not a bad way to go. Of course, in the back of your mind you realize that’s not going to get you the most effective threat model or, consequently, the most secure application. What to do? Threat Modeling Options The basis of any threat model is the architecture diagram. There are architecture diagrams based on data flows and there are archite
Why You Should do Threat Modeling to Protect Your APIsBlog
When it comes to protecting your attack surface, there’s hardly anything more challenging than APIs. After all, APIs are your way of granting public access to data you’re responsible for protecting. And if you’re going to have a public-facing door to your data, you’d better protect that door pretty well. Of course, hackers are well aware of that public-facing door. So, it should come as no surprise that API attacks are on the rise. API attacks are on the rise According to The Hacker News, “hackers are increasingly exploiting APIs to gain access to and exfiltrate sensitive data. In 2022 alone, 76% of cybersecurity professionals admitted to experiencing an API security related incident. If that wasn't attention-grabbing enough, US businesses incurred upwards of $23 billion in losses from API-related breaches during the same time period.” Just the attention they get from attackers makes APIs challenging enough to protect. But there are other reasons too. What makes protecting APIs so chal
Threat Modeling Makes Shopping Safe!
Retail stores have unique cybersecurity challenges, making them susceptible to cyberattacks. Luckily, ThreatModeler improves visibility into the supply chain, revealing vulnerabilities so they can be addressed. Address all threats in the supply chain and become secure by design with ThreatModeler.To read more about threat modeling for retail organizations, click here: https://threatmodeler.com/threat-modeling-for-retail-organizations/
Threat Modeling for Critical InfrastructureBlog
It’s not surprising that we have to protect our critical infrastructure from cyberattacks. What might be a surprise is what all constitutes critical infrastructure. There are actually 16 sectors where the United States government has set up critical infrastructure cybersecurity. “These ‘sectors’ are areas in which both public and private organizations provide vital ‘assets, services, systems, and networks’ to the citizens of the United States.” When you think of critical infrastructure, the first things that probably comes to mind are things like utilities. Some of the more obvious ones are energy services, nuclear reactors, water and wastewater systems, the chemical sector, transportation systems and communications. But critical infrastructure is more than just utilities. There are less obvious ones that also constitute critical infrastructure. These include the financial services sector, food and agriculture, healthcare, emergency services, transportation and the defense industrial b
Threat Modeling for ManufacturersBlog
Even with software supposedly eating the world, there are still plenty of companies that make physical things. These products may not be as sexy or profitable as software, but they are every bit as essential. From a cybersecurity standpoint, not much has changed in manufacturing, until recently. From piecemeal work to the assembly line, from manual labor to automation, manufacturing has grown increasingly more efficient over time, but without a corresponding increase in security threats, until one thing happened. Companies were already making the investments in advanced manufacturing equipment when someone got the bright idea to plug all that equipment into a network so it could all talk to each other. And while the idea of the fully networked manufacturer has been a boon for productivity and profitability, unfortunately it has also been a boon for cybercriminals who specialize in attacking networked equipment. Unique Security Challenges of Manufacturers It’s called the Internet-of-Thi
Make Healthcare More Secure
As you saw in our most recent blog, healthcare organizations have experienced 875 breaches since December 2020- that is more than one breach each day! But threat modeling can help identify the flaws in your code putting your data at risk. Make your code secure by design and keep it healthy by implementing continuous threat modeling. It's like preventative care for your SDLC!
Threat Modeling for Healthcare OrganizationsBlog
When it comes to securing healthcare organizations, two things have become abundantly clear: Data breaches aren’t going to stop anytime soon and there’s more to protect than just data. The number of data breaches in the healthcare industry is shocking. The U.S. Department of Health and Human Services (HHS) is required to post a list of breaches of unsecured protected health information affecting 500 or more individuals. There have been 875 since December of 2020. That’s more than one per day. It’s more than just health records at risk though. Anything connected to a network, from surveillance cameras to medical devices, the so-called internet-of-things (IoT), are also at risk of attack. It’s gotten so serious, that effective March 30, 2023, “the US Food and Drug Administration (FDA) will require medical device manufacturers to provide cybersecurity information in their premarket device submissions. Additionally, beginning October 1, the FDA will exercise its authority to refuse submiss
Threat Modeling for Financial OrganizationsBlog
Financial organizations in general, and banks in particular, are about as far down the cybersecurity maturity curve as any industry. That should come as no surprise. Financial organizations have been dealing with threats against their assets back to when the Pinkertons were protecting stage coaches. If anyone knows about cyber threats, it’s a financial organization. Unlike other industries, that tend to have a variety of assets to protect, financial institutions have only one kind of asset to protect: money (and information related to that money). Logically, these same organizations are the earliest and widest adopters of threat modeling. The old guard institutions in the financial industry do not need to be sold on the idea of threat modeling because they are already doing it. State of the Financial Industry Financial institutions’ assets are so appealing, it remains the most targeted industry for cyber criminals. According to a cybersecurity report by Boston Consulting Group “banking
Is Every Diagram a Threat Model?Blog
With Executive Order 14028 and the compendium NIST Internal Report 8397, organizations are required to diagram their software and along with that conduct threat modeling exercises. In this context, order 14028 supplies the mandate and IR 8397 provides guidance for how to comply. Whereas practitioners can quickly interpret and implement given SAST guidance from IR 8397, threat modeling guidance demands interpretation. For instance, when discussing threat modeling technique, IR 8397 references an SEI paper that itself refers to twelve (12) methods of threat modeling. Shevchenko's "Features by Threat Modeling by Method" - See Original In her SEI paper, Shevchenko provides a table (see right) describing the different features of various threat modeling methodologies. Before proceeding, note that there are different classes of “method” within this list. Some, like CVSS or OCTAVE focus on scoring risk. Others, like STRIDE, or SECURITY CARDS focus on evaluating a checklist to discover risk.
How DevSecOps Can Increase Confidence In Security Architecture
“Proliferating threats and increasingly complex IT architectures are putting significant pressure on teams to keep their enterprise systems secure. These trends show no signs of slowing down, which raises the question: How are IT leaders planning to address these challenges as they make their way through 2023?”Read the rest of the article from @archie here:https://www.forbes.com/sites/forbestechcouncil/2023/03/22/how-devsecops-can-increase-confidence-in-security-architecture/
How Threat Modeling Can Help Minimize Your Application's Blast Radius
“The blast radius of a security incident is defined as the amount of damage that the incident could potentially cause. It’s every account, file, application, server or other corporate asset that could be compromised once an attacker gets ‘inside’ the system.”“An Exploit Chain is an attack that involves multiple exploits or attacks that are chained together to fully compromise a device. In these attacks, Hackers cannot use a single exploit to compromise their target but instead can combine a series of exploits that ultimately lead to malware getting installed.”Read the rest here.The blast radius and exploit chain concepts remind me of the Target hack, that was a chain starting with the HVAC system. After they got in, nobody found them and they were able to spend time gaining a foothold. If Target had a better model of their attack surface, they might have realized that their internal security controls were too lax. This allowed the attackers, once inside the network, to gain access t
Can Threat Modeling Actually Improve Incident Response?
“Immediately after an incident, especially a major one, there seems to be about 36 hours of chaos. A period of time in which there is a lot of running around, trying to figure out what to do and where to start to answer those questions above. But, if you’ve previously threat modeled the compromised system, it should short circuit a lot of the running around. It eliminates the “where do I start?” because the questions have already been answered.Without threat modeling, you are forced into a more generalized response. But having done threat modeling, you can zero in on important things faster. Since you’ve already modeled how your applications work, you know things like attack surfaces, exploitability and impact”Rest of the blog here.Those of you who’ve been unlucky enough to have to respond to an incident, does this match your experience?
We brought home the gold! ThreatModeler is a CyberSecurity Excellence Awards Winner for 2023
We’re proud to announce our award in the category of Best Cybersecurity Startup - North America (between 50 to 99 employees):https://cybersecurity-excellence-awards.com/2023-cybersecurity-company-awards-winners/https://cybersecurity-excellence-awards.com/candidates/threatmodeler-6/
What's Needed to Turn Developers into DevSecOps?
“According to an ESG survey, DevOps, without an embedded security process, produces some uncomfortable results. For instance, 45% of software releases didn’t go through any security checks or testing, while 35% of new builds are deployed to production with misconfigurations, vulnerabilities or other security issues.One reason (34%) for these dismal results? Security can’t keep up with the cadence of software releases. To improve these results, something must change, and one impactful change is incorporating continuous threat modeling into the DevOps flow.”Read the rest here.What’s been your experience with DevSecOps and integrating security into development? One good experience I had was working at Automox with a CISO who described himself as “the most business friendly CISO you’re ever going to meet”. He’s now head of security at Zoom so that strategy has been wonderful for his career. And it was a pleasure to work with him on company security concerns.Any success or horror stories
Seven Common Misconceptions about Threat Modeling
“Misconception 1: Threat Modeling Requires Threat Modeling ExpertiseIt certainly doesn’t hurt to have years of threat modeling experience creating process flow diagrams or data flow diagrams, but it’s no longer necessary.It’s not feasible to expect developers to also be security mitigation experts. So, for a while, outside expertise was required to do in-house threat modeling. Today, most of the threat modeling expertise is built right into threat modeling tools making threat modeling is just one more part of a developer’s IDE.”Check out 2 through 7 on our blog here. Number 5 will shock you! (I couldn’t resist the clickbait CTA 😀)Do any of these misconceptions resonate with you? Have they held you back from starting a threat modeling project?
How to Maximize the Impact of your Threat Modeling: An Overview of the ThreatModeler Community Resources
“If you’re a first-time threat modeler, threat modeling can seem overwhelming. Maybe you’re following one of the common threat modeling frameworks like STRIDE or OWASP. Or maybe you’ve already invested in an automated threat modeling tool like ThreatModeler. Either way, it may not be enough.If you hope to maximize the impact of your threat modeling, what you really need is some support, guidance and access to other threat modeling resources. In this article, we share how you can have all of these through the ThreatModeler Community.” - check out the rest of the blog for an overview of the different areas of the community.
Smart Manufacturing Magazine: Manufactured Disruption: Securing Cyber-Physical Systems
“The adoption of the Internet of Things (IoT) has also accelerated as manufacturers increasingly connect physical devices to the internet to facilitate data collection and communication. However, these connected devices can also be targeted by hackers seeking to gain access to a facility’s operations or steal sensitive data.” - @Pthakker, ThreatModeler COO.Full articleThe article mentions the Triton malware that was used to gain access to a petrochemical facility in Saudi Arabia. Reminds me of the casino hack where they targeted the IoT thermostat in the fish tank. Anyone have any other good IoT hack stories?
An Overlooked Reason Why There Are So Many Data Breaches
“Take a look at the headlines in any security news outlet and one thing really stands out. There are data breaches everywhere. That happen all the time, to organizations that know better. And it’s not like anyone wants a data breach. In fact, just the opposite is true. Companies try really hard to prevent them, often to no avail.So, why are so many data breaches happening? The truth is there are a lot of reasons. According to Help Net Security, two of the biggest reasons are social engineering and unsecured databases. In addition to these though, there is another, often overlooked reason.”Check out the rest of the blog here.What has been your experience? Have you worked somewhere that treated cybersecurity properly as a continuous process, or was it mostly just getting your SOC 2 Type II and then letting the effort lapse until the next annual audit?
Are Your Threat Models Ready for Q-Day?Blog
Threat models are really good at identifying and mitigating cybersecurity threats. But they’re not much good at addressing threats nobody knows about. And that brings us to the security threats expected to arrive on Q-Day. We know about some of the threats that are coming, but not all of them, and we may be running out of time. Q-Day is Coming What is Q-Day? From Help Net Security, Q-Day, or Quantum Day, “represents the day that quantum computers will reliably use the super positioning power of multi-state qubits to break encryption algorithms that are widely used around the world to enable e-commerce, data security and secure communications.” Q-Day will force every application developer to reimagine encryption and security. The good news? Q-Day is not here yet. The bad news? It may be only five to ten years away, some think sooner. And since it represents a seismic shift in the treat landscape, the time to start preparing for Q-Day is today. Quantum computers will have an almost unfat
The Stevie Awards Feature ThreatModeler
We are feeling the love from the Stevies today! Not only did they highlight the Silver American Business Award that we won late last year, but they also featured ThreatModeler on their blog. They spent time talking about CloudModeler and what it means to DevSecOps, and overall did a great job talking about why companies need ThreatModeler now.Take a peek at the article. We’ve pasted it below, and it can also be found at this link. Threat Modeling Pioneer Enables Collaborative Platform for Real-time Cloud Security Modeling Stevie-winner ThreatModeler™ is a collaborative platform where security experts or non-security professionals alike can visualize design flaws within a few hours or minutes instead of weeks. ThreatModeler software was created to address the shortcomings of data flow diagrams, bring threat modeling capabilities in-house, and make it scalable. The vision for ThreatModeler software is to be able to model ALL the threats, automatically, with no security expertise required
The Value of a Community Marketplace in Democratizing DevSecOpsBlog
When companies do business, invariably they try to differentiate themselves in some way. Maybe it’s the uniqueness of their offering, the quality of their service or perhaps even their intellectual property. Any of these can afford a company a competitive advantage in the market. Rarely however do organizations try to differentiate themselves by the robustness of the cybersecurity posture or their approach to DevSecOps. When it comes to security, most companies want to be sufficiently secure so that it does not detract from their competitive advantage. From a business standpoint, they just want to break even on security. Every Organization Faces the Same Challenges When it comes to securing applications, every organization faces the same challenges. They share the same tools, time limits, threat landscape and regulations. And the threat landscape and regulations are constantly evolving. Since knowing a company’s approach to security is rarely a threat to its intellectual property or tr
ThreatModeler Dice Feature: ChatGPT Raises Cybersecurity and A.I. ConcernsNews
Since its release, ChatGPT, a chatbot capable of producing incredibly human-like text thanks to a sophisticated machine-learning model, has industry observers heralding a new stage in artificial intelligence (A.I.) development. ChatGPT’s ability to produce realistic conversations and messages—and adapt to its mistakes—could have applications in industries ranging from finance to art. In the three months since OpenAI announced ChatGPT, the chatbot has generated significant headlines and buzz, with as many as a million people testing out the tech soon after its release. Microsoft has made significant investments in the platform, with an eye toward possibly integrating it into its cloud services. The excitement over ChatGPT, however, comes with a dark side, including concerns over security and the ability of cybercriminals to use the chatbot for their means. Check Point Research has documented several instances of threat actors deploying much more sophisticated phishing emails written w
Already have an account? Login
Social LoginLogin with LinkedIn
Login to the community
No account yet? Create an account
Social LoginLogin with LinkedIn
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.