Design practices that facilitate secure software development through organization and collaboration
What is Threat Modeling?
Threat modeling is a way of thinking about potential risks and vulnerabilities in a system or application to identify and address them proactively. It involves a development team and key stakeholders working together to analyze how an attacker might try to exploit weaknesses in the system, and then determining steps to mitigate those risks.
“Threat modeling is a structured activity for identifying, evaluating, and managing system threats, architectural design flaws, and recommended security mitigations.”
(Ref: OWASP SAMM)
At CMS, we use threat modeling to help identify potential weaknesses that could be exploited by malicious actors. The CMS Threat Modeling Team works with Application Development Organizations (ADOs) and system teams to analyze their system's components, understand how they interact, and envision how an attacker might exploit vulnerabilities. This important work allows system/business owners, ISSOs, and developers to implement appropriate security measures – such as encryption, access controls, or regular software updates – to reduce the chances of a successful attack and protect sensitive information.
Learn more about the process by reading the CMS Threat Modeling Handbook.
What are the benefits of Threat Modeling?
At CMS, threat modeling is used to supports CMS’ system security and continuous monitoring efforts by supporting the following goals:
- Detecting problems early in the software development life cycle (SDLC)
- Identifying system security requirements
- Creating a structured plan to address both system requirements and deficiencies
- Evaluating attacks on CMS systems that teams might not have considered, even security issues unique to your system
- Staying one step ahead of attackers
- Getting inside the minds of threat agents and their motivations, skills, and capabilities
- Serving as a resource for CMS Penetration Testing and Contingency Planning activities
Getting started with Threat Modeling
The CMS Threat Modeling Team recommends system teams start the threat modeling process before they complete their required Penetration Testing or as part of their Ongoing Authorization efforts.
The CMS Threat Modeling Team is ready to help you onboard your system and start your threat model – just follow these easy steps to get started:
Learn about the process of threat modeling to decide when the right time is to engage with the CMS Threat Modeling Team based on your system’s current compliance and authorization schedule.
Please complete the Threat Modeling Intake Form. The CMS Threat Modeling Team will use the answers you provide in this questionnaire to help inform future planning sessions.
To start things off, facilitators from the CMS Threat Modeling Team will meet with the system/business owner, ISSO, and up to 2 senior developers to talk about the process, time commitment, and outputs expected in future threat model sessions. This meeting takes about 30 minutes.
Depending on the complexity of your system or application, you can expect to have two to three threat modeling sessions in total. Each one to two-hour session will focus on walking through a Data Flow Diagram (DFD), identifying threats using STRIDE or other methods, and determining mitigations or countermeasures to the identified threats. We will work with you to determine if the recommended mitigations are in place or if they need to be implemented in the near future. We may also help you determine the level of risk to your system based on the potential impact of identified vulnerabilities.
Like other cybersecurity practices, threat modeling is most effective as an ongoing process for securing your system. Every application is unique, but we recommend reviewing and updating your threat model(s) at least annually, or as part of your change management process. The CMS Threat Modeling team can help you design a schedule that makes the most sense for you and your system.