VAST Threat Modeling
Introduction
A common question from customers seeking new threat modeling products is "Do you support VAST?" While the increasing frequency of questions is likely the swansong of other toolings, it is worth considering its value and whether anything about it should be modified to improve its original meaning.
What is VAST?
VAST (Visual, Agile, and Simple Threat) is a threat modeling methodology designed to be scalable, agile, and easily integrated into modern DevSecOps environments. Unlike traditional threat modeling approaches, which are perceived as being complex and time-consuming, VAST is supposed to be lightweight and efficient, allowing organizations to continuously identify and mitigate security threats throughout the software development lifecycle (SDLC). It has three pillars - Automation, Integration, and Collaboration which now serve as the bottom-shelf requirements of any quality threat modeling product or set of toolings.
Can you do VAST in IriusRisk?
V - Visual ✅
Unlike other platforms that focus exclusively on diagramming or questionnaires, IriusRisk combines a mixture of visual-based, AI interactive, Infrastructure as Code, and Questionnaire-based methods for creating diagrams. These options ensure that regardless of how you want to visualize the items being created or iterated upon, they will be visualized in such a way that it supports the business process. After all, a threat modeling product should enable a business process, sustain it, and then further scale it out, not force the business to change to match the product. Seek out tooling that is customizable to your business process
"After all, a threat modeling product should enable a business process, sustain it, and then further scale it out, not force the business to change to match the product. Seek out tooling that is customizable to your process."
A - Agile ✅
Is an IriusRisk threat model an agile threat model? With IriusRisk versioning and templating, a threat model can be reworked and modified in real time as changes are being designed for applications or infrastructure. Versioning provides the ability to see changes in risk between two design configurations while holding the previous state immutable to demonstrate residual risk reduction efforts over time. Templates allow organizations to insert versions of applications into threat models to demonstrate how different branches might fit into the global business requirements.
Another key component of agile threat modeling is the ability to collaborate with others. IriusRisk fosters real-time collaboration between multiple team members across diagrams, threats, and mitigations. Collaboration also happens where users live with the many integrations available into industry-leading tools such as Jira, Azure DevOps, and ServiceNow. Collaboration and integration are both key pillars in the VAST framework.
Recommended by LinkedIn
ST - Simple Threat ✅
IriusRisk provides unlimited access to a team of virtual security engineers with its industry-leading libraries and access to security designs and best practices. It is further enhanced by tuning the IriusRisk rules engine to match the environmental technical controls at each layer of the threat model - Environment, Infrastructure, and Functional. For more on breaking down your threat model into layers, check out this article - Threat Modeling in Layers.
Manual whiteboarding has been fully automated with IriusRisk which provides suggestions for teams on which threats are in scope and most actionable for your model. Proprietary scoring then triages and ranks them according to system and data asset impact. This process takes the guesswork out of "Which threat should I work first?". This automation is one of the key aspects of the VAST framework for scaling threat modeling to enterprises.
Can VAST Be Improved?
If I were to update the VAST framework to make it more relevant and applicable to enterprise processes, I would propose the following:
"Hey, you do whatever you like! LIVE!!" - Ted Lasso
In Summary
IriusRisk not only supports VAST threat modeling but also transcends it, offering advanced capabilities that enhance the framework's effectiveness for modern enterprise needs.
Development Expert | SAFe | Security Consultant | AI | Automation
3moOne could say Irius Risk's capabilites are VAST++?