Threat Modeling
Design practices that facilitate secure software development through organization and collaboration
What is Threat Modeling?
Threat modeling is a method of analyzing potential risks and vulnerabilities in a system or application to identify and mitigate them proactively. It involves a development team and key stakeholders working together to investigate how an attacker might try to exploit weaknesses in the system and then determining steps to mitigate those risks.
“Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations.”
(Ref: OWASP SAMM)
At CMS, we use threat modeling to help identify potential weaknesses that malicious actors could exploit. Application Development Organizations (ADOs) and system teams are encouraged to analyze their system's components, understand how they interact, and envision how an attacker might exploit vulnerabilities. This vital work enables system and business owners, ISSOs, and developers to implement effective security measures – such as encryption, access controls, or regular software updates – to reduce the likelihood of a successful attack and protect sensitive information.
Want to dive into Threat Modeling?
Learn more about the process by reading the CMS Threat Modeling Handbook.
What are the benefits of Threat Modeling?
At CMS, threat modeling is used to support CMS’ system security and continuous monitoring efforts by supporting the following goals:
- Detecting problems early in the software development life cycle (SDLC)
- Identifying system security requirements
- Creating a structured plan to address both system requirements and deficiencies
- Evaluating attacks on CMS systems that teams might not have considered, even security issues unique to your system
- Staying one step ahead of attackers
- Getting inside the minds of threat agents and their motivations, skills, and capabilities
- Serving as a resource for CMS Penetration Testing and Contingency Planning activities
Getting started with Threat Modeling
CMS recommends system teams start the threat modeling process before they complete their required Penetration Testing or as part of their Ongoing Authorization efforts.
Follow these easy steps to get started:
Read the Threat Modeling Handbook
Learn about the process of threat modeling to decide when the right time is to work on a threat model based on your system’s current compliance and authorization schedule.
Complete Threat Modeling sessions
Depending on the complexity of your system or application, you can expect to need two to three threat modeling sessions in total. Each one- to two-hour session will focus on walking through a Data Flow Diagram (DFD), identifying threats using STRIDE or other methods, and determining mitigations or countermeasures for the identified threats. Determine if the recommended mitigations are in place or if they need to be implemented soon. Determine the level of risk to your system based on the potential impact of identified vulnerabilities.
Ongoing Threat Modeling
Like other cybersecurity practices, threat modeling is most effective as an ongoing process for securing your system. Every application is unique, but we recommend reviewing and updating your threat model(s) at least annually, or as part of your change management process.