Everyone wants their engineering staff to be better at threat modeling. Security teams desire a world where developers practice a threat modeling mindset. A threat modeling mindset is where threat modeling is no longer a process or a tool but is instead a way of life. When developers embrace this mindset, they see threats jump off the page in both diagrams and code. They hear peers discussing a potential solution, and they can articulate the security challenges that such an approach will cause.
There are different approaches that security teams try when beginning threat modeling. One method is for a central security team to perform all the threat modeling. The challenge with this approach is scalability; as soon as you grow beyond a single pizza’s worth of developers, you need a large security team to keep up.
Another approach is to solve threat modeling with tools. Regardless of the tool, developers will struggle using the tool without the knowledge for successful deployment. Tools are great but come later in the maturity of threat modeling.
The best methodology for threat modeling at scale is the “caught not taught” method. With “caught not taught,” the premise is that the only way to truly grasp threat modeling is by performing threat modeling. Instead of spending hours lecturing on STRIDE versus PASTA, take a small group of developers into a room, and ask one of them to draw a picture on the board of the current feature they are building. Begin to ask leading questions about the things you see jump off the board. Teach them how to threat model by performing threat modeling.
For threat modeling to grow, you must magnify your efforts. Spend time with that small group of developers until they reach the early stages of the threat modeling mindset, and then ask them to replicate the idea with groups of their own. In no time, you’ll have an entire organization embracing a security mindset through threat modeling.