VAST Threat Modeling
Sometimes the grass is actually greener

VAST Threat Modeling

Introduction

A common question from customers seeking new threat modeling products is "Do you support VAST?" While the increasing frequency of questions is likely the swansong of other toolings, it is worth considering its value and whether anything about it should be modified to improve its original meaning.

What is VAST?

VAST (Visual, Agile, and Simple Threat) is a threat modeling methodology designed to be scalable, agile, and easily integrated into modern DevSecOps environments. Unlike traditional threat modeling approaches, which are perceived as being complex and time-consuming, VAST is supposed to be lightweight and efficient, allowing organizations to continuously identify and mitigate security threats throughout the software development lifecycle (SDLC). It has three pillars - Automation, Integration, and Collaboration which now serve as the bottom-shelf requirements of any quality threat modeling product or set of toolings.

Can you do VAST in IriusRisk?

V - Visual ✅

Unlike other platforms that focus exclusively on diagramming or questionnaires, IriusRisk combines a mixture of visual-based, AI interactive, Infrastructure as Code, and Questionnaire-based methods for creating diagrams. These options ensure that regardless of how you want to visualize the items being created or iterated upon, they will be visualized in such a way that it supports the business process. After all, a threat modeling product should enable a business process, sustain it, and then further scale it out, not force the business to change to match the product. Seek out tooling that is customizable to your business process

"After all, a threat modeling product should enable a business process, sustain it, and then further scale it out, not force the business to change to match the product. Seek out tooling that is customizable to your process."

A - Agile ✅

Is an IriusRisk threat model an agile threat model? With IriusRisk versioning and templating, a threat model can be reworked and modified in real time as changes are being designed for applications or infrastructure. Versioning provides the ability to see changes in risk between two design configurations while holding the previous state immutable to demonstrate residual risk reduction efforts over time. Templates allow organizations to insert versions of applications into threat models to demonstrate how different branches might fit into the global business requirements.

Another key component of agile threat modeling is the ability to collaborate with others. IriusRisk fosters real-time collaboration between multiple team members across diagrams, threats, and mitigations. Collaboration also happens where users live with the many integrations available into industry-leading tools such as Jira, Azure DevOps, and ServiceNow. Collaboration and integration are both key pillars in the VAST framework.

ST - Simple Threat ✅

IriusRisk provides unlimited access to a team of virtual security engineers with its industry-leading libraries and access to security designs and best practices. It is further enhanced by tuning the IriusRisk rules engine to match the environmental technical controls at each layer of the threat model - Environment, Infrastructure, and Functional. For more on breaking down your threat model into layers, check out this article - Threat Modeling in Layers.

Manual whiteboarding has been fully automated with IriusRisk which provides suggestions for teams on which threats are in scope and most actionable for your model. Proprietary scoring then triages and ranks them according to system and data asset impact. This process takes the guesswork out of "Which threat should I work first?". This automation is one of the key aspects of the VAST framework for scaling threat modeling to enterprises.

Can VAST Be Improved?

If I were to update the VAST framework to make it more relevant and applicable to enterprise processes, I would propose the following:

  • Verified Descriptions: Ensure infrastructure and application designs are verified using automated imports and input from knowledgeable stakeholders. These descriptions could be written, visual, or even modeled using something as simple as Legos. As the great threat modeler Ted Lasso once said, "You do whatever you like." Make the tool fit your process.

"Hey, you do whatever you like! LIVE!!" - Ted Lasso

  • Automated Analysis: Implement automated analysis of relevant high-value threats and cost-effective risk mitigation strategies in an iterative, just-in-time manner. Avoid spending too much time on low-value or low-likelihood threats.
  • Stratified and Simplified Models: Simplify models to reduce complexity and increase immediate comprehension of scope and relevant design changes. A good threat model should have at least two different indicators of severity. For example, high-value risks should be marked in red and labeled "HIGH," providing an at-a-glance assessment of critical information.
  • Time-Boxing: Prevent over-analysis by setting strict time limits on the assessment of system components, threats, and mitigation strategies.

In Summary

IriusRisk not only supports VAST threat modeling but also transcends it, offering advanced capabilities that enhance the framework's effectiveness for modern enterprise needs.



Stephen Hookings

Development Expert | SAFe | Security Consultant | AI | Automation

3mo

One could say Irius Risk's capabilites are VAST++?

To view or add a comment, sign in

More articles by James Rabe

Insights from the community

Others also viewed

Explore topics