Threat Modeling

5 Myths in Threat Modeling

October 10, 2022
Written by
Abhay Bhargav

Threat modeling is a technique used by businesses to improve network and application security by identifying threats and prioritizing responses based on the severity of individual threats.

The advantages of threat modeling are substantial. Threat modeling provides a comprehensive process for evaluating potential risks to an organization's system. It gives a framework for informed decision-making to guarantee that limited resources are used to their best advantage. 

Even though threat modeling has become immensely popular, there are still prevalent misconceptions that make businesses skeptical about adopting it fully.

Have you started threat modeling your apps yet?

If yes, read this. If no, DEFINITELY read this.

5 Biggest threat modeling myths

Myth 1: "We already do pentesting & code review; we don't need threat modeling."

One of the threat modeling myths is that people believe that pentesting and code review are enough for overall security. This is not right. Because pentests and code reviews cannot cover the entire system or the application, a mere couple of weeks of testing don't give insights into every defect the app may have. 

You will need threat modeling, a framework to constantly conduct threat assessments, and organize security programs. This will help document threat vectors and better understand the apps and architecture. On the bright side, threat modeling can help pentesting and code review work better. 

Myth 2:  "We already threat modeled our app once; that's good enough."

Some business people reject the idea of periodical checking with threat modeling. 

However, with continuous development, regular application of threat modeling is necessary. It is because the application changes over time and increases the threat profile. Similar to the applications, threat models need to be updated regularly. 

Myth 3: "We should only threat model the application."

An app by itself does not provide a comprehensive picture of the potential dangers it may face. Examine your infrastructure, database, interactions with third parties, and deployment environment to find out what's wrong.

It is not only about the app itself but also about everything that interacts with it.

Myth 4: "We need an in-house security specialist to do threat modeling."

Having an in-house security specialist on your team is a good idea, but it is not mandatory. In reality, threat modeling starts with the developers and architects. They understand their apps better and know where exactly the system can fail. They can effectively create a threat model that will prove efficient for all. 

Myth 5: "Our system is already built & deployed; there's no need to threat model now."

Without a threat model, you will not know any potential app threats. As a result, unforeseen risks can show up while you are underprepared. Even if you are using pentest, your app is not safe. As the app changes over time, it only increases the risks from attackers, which pentest can not provide protection. 

Want to go deeper into Threat Modeling? Start with these 2 courses on AppSecEngineer:

Learn with real-world exercises & understand how your app works from the inside out:

AppSecEngineering provides cutting-edge and hands-on training to prepare you for the demands of your job. Amp up your security skill set with us. Not sure- if this is the right course for you, start a free trial.

Source for article
Abhay Bhargav

Abhay Bhargav

Abhay is a speaker and trainer at major industry events including DEF CON, BlackHat, OWASP AppSecUSA. He loves golf (don't get him started).

Abhay Bhargav