The Combined Power of SAST and Threat Modeling
Taking a look at the power of combining SAST and Threat Modeling by Rob Wood
Introduction
In the modern era of technology, applications have become the backbone of businesses across myriad industries. However, with this increasing reliance on applications comes a growing need for robust security measures. Static Application Security Testing (SAST) tools and threat modeling are common approaches to the problem. In this article, I'm going to advocate for why they should work together. Using a threat model to inform targeted SAST rollout.
Image Source: Threat Modeling Manifesto. An excellent resource on the topic of Threat Modeling, be sure to check it out!
Understanding SAST tools and threat modeling
SAST tools are purpose-built to scan and identify potential security vulnerabilities within an application's codebase. Semgrep is one such SAST tool designed to be fast, developer-friendly, and easy to use. In addition, it has a rich, flexible rule-set covering many security vulnerabilities and is extensible for custom rules.
Threat modeling is a structured approach to identifying, prioritizing, and mitigating potential organizational threats. This process involves identifying potential attack vectors and assessing the likelihood and impact of these attacks. In addition, using threat modeling can identify potential security vulnerabilities that SAST tools may miss.
Implementing SAST tools and Threat Modeling in your organization
Implementing SAST tools or threat modeling in your organization on its own can be challenging, but it is critical for the success of your security program. Bringing the two activities together can help both processes be more impactful. Here are my recommendations for getting started:
Assess your organization's current risk landscape: It's vital to assess your organization's existing risk landscape and team structure before implementing any SAST tools or threat modeling process. Understanding who owns what and the key risk drivers will help you threat model with more context around what's important.
Identify potential threats: Use threat modeling to identify threats to your organization's key applications. This process involves identifying key assets, security controls, and potential attack vectors, and assessing the likelihood and impact of these attacks. This process is typically done while analyzing key data flows or the software architecture.
Address attack vectors with targeted SAST rules: With an understanding of relevant attack vectors, enumerate SAST rules that prevent or detect contributing vulnerabilities. Using a tool for targeted rule inclusion is optimal to avoid too much noise in the rollout.
Set up a testing environment: With the tool selected and some possible rules laid out and mapped to attack vectors, you can start testing on your codebase. Running through active tests of the rules concerning your intended outcome and your code will provide you with a sense of accuracy. When this rule fires, is it always right, sometimes right, or rarely right? Am I wasting much of my team's time if we turn this on?
Analyze the results: Once you've implemented the rules, analyze the results of your SAST scans to identify potential live vulnerabilities. Prioritize these vulnerabilities based on their likelihood, impact, reachability, or EPSS score. The approach to prioritization will likely depend on the process elsewhere in the organization or the team's willingness to try something new.
Mitigate the vulnerabilities: Take steps to mitigate the vulnerabilities identified in your scans. Depending on the issue, this may involve changing code, updating libraries, or other actions.
Repeat the process: Once you have implemented SAST tools and threat modeling in your organization, it's essential to repeat the process regularly. Consistency applied over time will help you avoid new threats and vulnerabilities as they emerge. Strive for greater SAST coverage over your threat model.
Conclusion
Any organization that is building software should engage in some form of SAST rollout or threat modeling. Leveraging these processes together can help capture more value from each activity. Using a threat model to drive focus in SAST deployment will help a team prioritize. Using SAST tools to mitigate the risks identified in a threat model can help you address some risks to ultimately go deeper and focus on more interesting ones over time.
Guest Contributor
This article is from guest contributor Robert Wood.
Bio: Robert Wood is the Chief Information Security Officer (CISO) for the Centers for Medicare and Medicaid Services (CMS). He leads enterprise cyber security, compliance, privacy, and counter intelligence functions at CMS and ensures the Agency complies with secure IT requirements while encouraging innovation.
Mr. Wood has over 10 years of experience in information technology, information security and management consulting.
Prior to CMS, Mr. Wood has built and managed several security programs in the technology sector. He was also formerly a Principal Consultant for Cigital where he advised enterprises about their software security programs. He also founded and led the red team assessment practice with Cigital, focused on holistic adversarial analysis, helping organizations identify and manage risks from alternative perspectives.
Mr. Wood has a B.S. in Information Management & Technology from Syracuse University.
Rob is also the co-founder of Soft Side of Cyber, an organization dedicated to bringing human-centered cybersecurity skills to every role. You can find more articles, content and resources at www.softsideofcyber.com