Webinar: Why Cloud-Native Applications and APIs Are at Risk

How to Automate Security Reviews & Threat Modeling

Bionic can help teams automate threat modeling and security reviews.

We use an agentless approach to scan and reverse engineer your applications in any environment. The output is a real-time living architecture map that is code-level accurate. You can now threat model or review security based on what actually exists in your application versus estimating or guessing your threat landscape.

Agentless Scan

Below is an application that Bionic has scanned in a QA environment, showing all services, APIs, dependencies, and attack surfaces.

Underneath the covers, Bionic has scanned every single line of code in this architecture to detect possible drift, security threats, or compliance violations. For example, let’s fill out this architecture map and show all security violations that exist.

Detect Attack Surfaces & Security Violations

Bionic has highlighted all relevant services and dependencies that could be exploited. If you click on the order analytics service to learn more, you can see where this service is running and its tech stack. We can also see that this service has three high severity violations and is accessing a third-party service and a PII data source.

Now let’s click on the violations to learn more. We can see that one of the three violations is hard-coded credentials. We can click on this and see the hard-coded parameter relates to the username of the database connection referenced in the code. The remediation step is to implement a secret store like HashiCorp Vault so that credentials are now referenced using tokens versus native parameters in the code.

Detect Compliance Violations

Now let’s go back to our map and change the filter to compliance violations. We can see to the left, there’s an audit admin service that has many violations. So let’s investigate and understand these details.

The last compliance violation shows the data flow between an EU and non-EU service. Specifically relating to a database in EU West 1 region that has been accessed by US East 1 region in the cloud.

We can see Bionic has flagged this as a GDPR violation. So this would obviously fail a GDPR audit. Given this violation was found in QA, we can pass this insight quickly back to our engineering team to fix it.

In just a few minutes, we’ve walked through two simple examples of how Bionic is able to automate threat modeling and security reviews. Bionic is continuous and will re-scan your applications every time they change, and will tell you what new attack surfaces or compliance violations have been introduced to the result.

Did you find this blog helpful or interesting?

Click the social media button of your choice to share the blog with you friends and colleagues.

Share on linkedin
Share on twitter
Share on email
Share on facebook

See a Live Demo of the Bionic Platform