I have been talking about Application Security Posture Management (ASPM) a lot these days.
The articles, blogs, and glass board sessions about the aspects of ASPM got me thinking.
What are some other new and exciting ways ASPM could help organizations do things better?
I immediately thought of threat modeling.
Bionic ASPM Level Set
Bionic is building the first comprehensive Application Security Posture Management platform. We find these different aspects of ASPM to be a necessity:
- Dynamic Bill of Materials (dBOM) – dynamically updated SBOM
- Dynamic Application Map (dMap) – dynamically updated application map
- Dynamic Query Engine (dQuery) – a query engine that you can reference anything within your application ecosystem
These tools will be crucial to understanding how ASPM expands on how people are threat modeling today.
Two Types of Threat Modeling
Threat Modeling has two unique approaches.
Proactive Threat Modeling
The first is proactive threat modeling. This type of threat modeling happens before the first line of code is written to architect an application securely and architecturally accurate. ASPM will not help you proactively threat modeling as ASPM needs compiled code to work. If there is no code, then ASPM will not help you.
Continuous Threat Modeling
The second type of threat modeling, continuous threat modeling, or threat modeling existing applications, is a perfect fit for ASPM as the application’s code exists and is constantly changing.
Why is Threat Modeling Hard?
Threat Modeling is complex as it takes a unique skill set to look at the visual diagram of an architecture and think of all the bad things that can happen.
In addition, is the visual diagram you are trying to threat model even accurate?
Typically threat modelers rely on cross-functional teams of developers, enterprise architects, SMEs, and tribal knowledge to create the visual diagram of an application. This crowdsourcing approach is prone to missing critical architectural components of an application.
A threat model is only as good as the diagram you are trying to threat model.
Aggressive CI/CD Pipelines Make Threat Modeling Even Harder.
To continue the conversation on continuous threat modeling, we have to consider CI/CD pipelines that release applications many times a day.
How can you manually create an accurate visual application architecture map when you release a new version 10, 50, 100 times a day?
You can’t; this does not scale. DevOps and their associated CI/CD pipelines are all about automation, so manual updating of application architecture maps does not work anymore.
ASPM Solves This Manual Challenge
What is the source of truth for an application?
The code itself.
ASPM collects and reverse engineers the compiled application artifacts, creating a complete application architectural map of all the services associated with the application.
This map can be configured to be updated for EVERY new application release, so your map is always up to date.
Gone are the days of having to create it manually. Now you can threat model until your heart’s content against a complete architectural map.
Other Things ASPM Provides for Threat Modelers
I already mentioned these concepts in the first paragraph of the blog, but this is where the dBOM and dQuery come into play.
The dBOM provides a continuously updated bill of materials, so you know exactly what technologies are included in the application. Having this information is very helpful to people threat modeling an application as they know what application components to focus on.
The dQuery allows threat modelers the ability to examine hypothetical threat use cases. An example would be if PII data is accessed by an application service with a critical CVE and is internet-facing.
This is all based on the code itself, so you are confident if this type of risk exists or doesn’t exist for that matter.
ASPM is Not a Complete Replacement for Threat Modeling
I am not saying ASPM is a complete replacement for threat modeling.
I am trying to say that if you are concerned about continuous threat modeling existing applications, then ASPM makes the whole process easier.
You can be sure that the application diagram you are threat modeling is accurate because it is based on the code itself and not subjectively created by a cross-functional team that may miss important aspects of the diagram.
Add to that a continuously updated bill of materials combined with the threat modeler’s expertise, and your threat models will be accurate, up to date, and automated.