<p>Threat modeling ranges from simple data flow diagrams to highly complex mathematical algorithms and frameworks. Manually combing through this information is inefficient and time-consuming. Automated tools speed up the process and generate recommendations and reports designed to combat prospective threats.</p>
<p>Automated threat modeling tools come in many different forms, from no-cost open source applications to powerful cloud-based and on-site ones that can cost hundreds or thousands of dollars.</p>
<p>Let’s examine what to look for when selecting threat modeling software and assess products on the market.</p>
<section class=”section main-article-chapter” data-menu-title=”How to select a threat modeling tool”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>How to select a threat modeling tool</h2>
<p>Before laying out a foundation for <a href=”https://www.techtarget.com/searchsecurity/definition/threat-modeling”>threat modeling</a>, involve top managers from both the business side and technology side. Business managers should identify the assets considered most important. IT staffers should discuss the technology needed to support those assets, highlighting the most critical risks, threats and vulnerabilities.</p>
<p>Key criteria underpinning the evaluation and selection process should include identifying the following:</p>
<ul class=”default-list”>
<li>The business requirements, goals and operational objectives to protect from security threats.</li>
<li>The desired results and outputs from the threat modeling tools, for example, reports, analyses, assessments, visual diagrams and recommendations.</li>
<li>Situations where risks, threats and vulnerabilities are present and need protection from malicious attacks.</li>
<li>How to address and define appropriate countermeasures to mitigate identified threats and vulnerabilities.</li>
<li>How to test and validate the performance of the selected application.</li>
<li>How to integrate the selected system into other threat initiatives within the organization.</li>
<li>Licensing, pricing, training and maintenance options to make fair and accurate comparisons.</li>
<li>Actions to take now that increase protection from future threats.</li>
</ul>
<p>One tactic is to use a model, such as the software development lifecycle (SDLC), to help select a threat modeling tool. In many cases, the tool deployed protects a specific application or system. SDLC components — planning, requirements, design, development, testing, deployment and maintenance — can serve as an important framework. Ideally, the software should support each SDLC process.</p>
</section>
<section class=”section main-article-chapter” data-menu-title=”How to implement a threat modeling tool”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>How to implement a threat modeling tool</h2>
<p>The process of using a threat modeling tool is straightforward. Once the tool has been obtained, unpacked and installed, review the instructions for getting started, then perform the following steps:</p>
<ul class=”default-list”>
<li>Gather threat data from prior risk analyses, historical data and operational experience.</li>
<li>Create a model of the system architecture and security infrastructure using models available from the tool.</li>
<li>Use the tool to identify potential threats and vulnerabilities based on the model used.</li>
<li>Identify actions that can respond to and mitigate the impact of identified threats. Also identify ways to address vulnerabilities and make changes to the overall security infrastructure.</li>
<li>Document the recommendations and generate reports for subsequent review by security teams and senior management.</li>
<li>Use the tool to perform ongoing design changes and modifications to the security infrastructure based on the tool’s recommendations.</li>
</ul>
</section>
<section class=”section main-article-chapter” data-menu-title=”Features to look for in threat modeling tools”>
<h2 class=”section-title”><i class=”icon” data-icon=”1″></i>Features to look for in threat modeling tools</h2>
<p>Consider the following important features and benefits that any threat modeling tool should offer.</p>
<h3>Ease of data input</h3>
<p>Depending on the system analyzed, consider how data is entered into the tool. Attributes should include system design, architecture, input/output characteristics and security features, as well as compliance factors if the system is subject to one or more
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: