Threat modeling and a lack of tools

I’ve been threat modeling for quite some time. I could argue that I started threat modeling at a high level in 1997 when I started my first job working for one of the first security consulting firms, Arca Systems. Threat modeling was a crucial part of everything we did, but we didn’t call it threat modeling or a separate process. It was how we were taught to think.

I taught myself the formal threat modeling processes I eventually rolled out at a large tech company. I started with STRIDE and used that as the foundation for how I taught people the threat modeling process. We took that process and turned it into a tool that helped walk engineers through the process of threat modeling.

The core principle of the tool was that it should allow an engineer to be the expert in the thing they were building, but not in security. The tool asked the engineer to create a representation, tag that model with attributes, and then consider the threats/develop mitigations. The tool led the engineers through the process.

The tool’s goal was to put itself out of business over time. The tool was not designed to always be how threat models were performed. The hope was that engineers would learn the process without needing the tool to facilitate threat modeling.

Watching this tool be utilized over time, I thought that tools could enhance any threat modeling program. I still hold true to what we wrote in the Threat Modeling Manifesto, “People and collaboration over processes, methodologies, and tools.”

Humans must learn how to do threat modeling manually before adopting a technological solution. This is the same circumstance as when we code up a solution to a manual problem. If we do not find a manual solution to the challenge, we could end up coding something that misses the mark.

When I asked the question about tooling usage within the world of threat modeling on LinkedIn, I was surprised to learn that most threat modelers are not using any tools. They are using a manual process. This leads me to ask the question, “why?”

Is the lack of tool usage a statement about the current maturity of threat modeling in our industry or a comment about a deficiency in the available tools? We have multiple options in the commercial space for tooling, as well as PyTM and Threat Dragon from the open-source community. In my experience, it’s a combination of both.