As 2022 comes to an end, we’ve definitely seen some major themes emerge with regard to threat modeling. In this year in review, we discuss some of the more important ones.
The Ever Expanding Scope of Threat Modeling
Perhaps the most recurrent theme in 2022 was the ever expanding scope of threat modeling. It’s not just for application development anymore.
For starters, we’ve seen how Threat Modeling Answers More Business Questions Than Security Questions. Some of the more important questions being, am I spending too much on security? and what is secure enough?
In Threat Modeling: It’s not Just for IT Anymore, we discuss the important role threat modeling is starting to play in operational technology (OT), the hardware and software that controls and operates the physical mechanisms of an organization.
Another theme that kept coming up is how threat modeling can be used to identify and mitigate non-security threats. In Gain Insights Into Your Attack Surface and Compliance Requirements With Threat Modeling, we point out that threat modeling is just as effective and mitigating compliance threats.
Finally, we touched on its expanding utility in Can Threat Modeling Really Help Fight Cyber Burnout? Here we argue that overworked, stressed-out developers can actually improve their circumstances by adopting automated threat modeling tools.
The Challenge of Securing Dynamic Cloud Environments
At the top of the list of challenges that threat modeling addresses has to be the dynamic cloud. After all, how do you secure an environment that never stops changing?
Most cloud configurations today are done by code, known as Infrastructure-as-Code (IaC). The first step in securing a cloud environment then is to secure the IaC. In Securing Your IaC—is it Possible? we answer the question yes. There are now threat modeling tools available that identify problems in the IaC, including configuration errors, compliance errors, security practices and IAM issues.
We further explored this theme with How to Overcome the Biggest Challenge in Cloud Security and How Threat Modeling Improves Cloud Infrastructure With Continuous Cloud Security.
The conclusion? The best approach to securing dynamic cloud environments is with continuous monitoring threat modeling. But does such a capability exist? If you read How to Strengthen Your Cloud Security With CloudModeler, you’d know the answer.
Industries in Desperate Need of Threat Modeling
While every industry can benefit from threat modeling, and that certainly applies to companies developing applications, there is a handful of industries that are in desperate need of threat modeling. And the one at the top of the list is the medical industry.
First we pointed out that Increased Cyber Threats to Medical Devices Cause Healthcare Industry Self-Evaluation. So, at least the industry is aware of the threats. And at least part of the solution is threat modeling, as we point out in Why Medical Devices Need to be Secured Right From Design.
A surprising industry that desperately needs threat modeling is the automobile industry. We may not think of cars as nodes on a network, but they are, which means they can be hacked. We explored this issue in Now That Cars are Computers on Wheels, How do we Protect Them? And just like with medical devices, at least part of the answer is threat modeling. The good news? The automobile industry understands the challenges.
Finally, perhaps the most important industry in need of threat modeling is critical infrastructure. Critical infrastructure includes everything from power and water treatment plants, to food processing plants, transportation and public health facilities.
In How Threat Modeling Can Help Protect Critical Infrastructure, we explore how much of the critical infrastructure is out of date with little to no cyber protection. And once again, part of the answer is threat modeling.
Happy Holidays
We enjoyed sharing our observations with you in 2022 and hope to do so again in 2022. Until then, have a wonderful holiday season from the ThreatModeler team.