Scale up threat modeling with AI, consistent quality
| Table of Contents | ||||
|---|---|---|---|---|
|
Automate threat modeling to enable fast and secure software development
Similar to security risk analyst, CyberSage conducts security risk analysis for a business feature (e.g, customer login on a web application) and identifies possible security weaknesses introduced by certain design choices, the attack vectors which may exploit such weakness and recommends technical remediation.
Such automation enables software development communities and other information technology disciplines to scale up security risk analysis with threat modeling methodology.
In addition, it . The analysis is automated with CyberSage.
With AI assisted Threat Modeling and work management tool integration, CyberSage empowers developers conduct threat modeling on their own and identify insecure design flaws early in SDLC, when the security weakness can be addressed with the lowest cost.
What Threat modeling automation delivers
AI assisted self-serving threat modeling to identify insecure design.
Developers are able to conduct threat modeling without becoming a security expert and identify insecure design flaws in design phase,CyberSage makes threat modeling an on-demand service to software developers and system architects to fit the pace of development and removes the bottleneck of very limited Cyber Security professionals.
It enables enterprises to achieve consistency in such analysis by using common profiles, models and rules. The consistency is a common draw-back for security analysis done by a team of analysts, whose skill set and perspectives may vary.
Automation allows the limited AppSec resource to focus on high value creation activities by moving most of the burden of day-to-day security review of the projects with medium risk level
Embed security into development life-cycle management
CyberSage enables IT(information technology) teams, such as software development and other IT design/build team to make the threat modeling and remediation part of their development life-cycle. This allows the prevention or remediation of security weakness starts early in the life-cycle, reduces security risks and remediation costs.
Diagram: CyberSage and work management tool integration.
...
CyberSage integrates seamlessly with mainstream IT management tools (such as Jira) so developers can manage threat modeling in developer’s workflow.
Supports DevSecOps, CI/CD and secure Agile to enable fast and secure development.
Support developer with real-time inline AppSec knowledge base.
For more details, refer to Embed threat modeling into SDLC
Produce contextualized and accurate threat modeling results
...
CyberSage keeps the enterprise and the technology asset’s contextual information such as inherent risk assessments (IRA), threats and existing controls in Threats & Risk Repo. CyberSage also obtains more contextual information from users (if required in inference). Such contextual information are used in the inference to produce tailored threat model aligned with these contextual information.
Enable the Threat modeling to be driven by business value and risk, instead of
...
by technological stacks alone.
CyberSage supports the threat modeling methodology, where the threat model are is derived from business values and the threats to these values.
Customization ?
Customize threat modeling profiles for enterprise' specific business and risk profile
business and risk profile can be different in each enterprise. It is possible that the out-of-box threat modeling profile needs to adjust to fit the specific scenarios of an enterprise.
CyberSage’s threat modeling engine supports changes in these profiles with rule changes in its rule interface. The rule changes are independent from CyberSage core software and do not require skillset of professional software developers. therefore can be done quickly.
The following customizations are supported:
update existing threat modeling profile
...
When the enterprise has unique business features that are not supported by the out-of-box profiles, new profiles can be created with the rule engine and new rules.
...
CyberSage enables IT(information technology) teams, such as software development and other IT design/build team to make the threat modeling and remediation part of their development life-cycle. This allows the prevention or remediation of security weakness starts early in the life-cycle, reduces security risks and remediation costs.
CyberSage integrates seamlessly with mainstream IT management tools such as Jira to enable users to manage threat modeling part of their life-cycle.
Secure cloud assets with threat modeling
...
Associate the threats (the objectives of the attackers), the business profile and and the applicable attack vectors by building a tree structure graphic representation.
...
it facilitates further analysis of security weaknesses that depends on the causing factors which enables the attack vectors.
Automate
...
security issue risk rating
...
Organizations need to assign risk rating to identified security weakness (vulnerabilities) in order to prioritize the remediation based on the risk. The security vulnerability risk rating needs to be contextualized to the organization's business profile. For instance, a vulnerability resulting in information disclosure should have much higher risk rating in an military organization than the same one in a social media application.
The risk rating also needs to follow an established methodology such as operational risk management(ORM).
...
and threat impact analysis aligned with enterprise’s business profile
The threat modeling engine uses the risk and business profile (e.g, confidential requirements of an application) as threat modeling input. It also automates the risk rating with ORM (operational risk management) model and incorporate both the impact and likelihood of identified security weakness.
Automate business impact rating of security threats contextualized for the business model of the organization.
The organizations need to associate the security weakness identified in security risk analysis with impact to its business so they can make risk based decisions, as impact is half of the equation of proper risk rating.
The same technical security weakness may have very different business impact, depending on what business functionalities the vulnerable components supports. For instance, the same cross-site-scripting (XSS) vulnerability will have very different impact for customer login page of an online banking portal than a bbs page.
Most of the security tools that identifies security weaknesses (e,g, vulnerability scanner) does not include business impact in their out-of-box risk rating method. Further more, most of them does not provide capability to contextualize risk rating with business impact. Such cookie-cutter risk rating does not help the organizations to prioritize the remediation.
CyberSage incorporate threat and impact analysis of IT assets in security issue risk rating in two ways:
associate security weakness to the business impact specific to the organization.
CyberSage associate business impacts with a given threat for a business feature. For instance, for a business feature in a web application where customers can update their profile, one of the threats (attacker's goal) is to access sensitive information in the unauthorized customer profiles. The business impact associated with the threat is disclosure of sensitive information.
CyberSage further establish the rating for the business impacts, using the business and risk attributes of the organization. For instance, for a social media application, compromise of the information in the customer profile may cause less impact to the organization than the same compromise for a banking application, due to the fact that banking customer's information can be used for financial fraud and are under strict laws and regulations.
The threat analysis and impact rating is automated.
allow organization to customize the business impacts rating to fit their business profile change.
When the business application add new functionalities, users can model the updated business application with CyberSage. In the background, CyberSage identifies the threat and rate the associated business impact for the new functionalities.
Please see details here automate security issue risk rating.
Developer friendly
Jira Single Sign On and integration
Developers sign in CyberSage using their Jira account with SSO. CyberSage automatically creates Jira work items to track and remediate security weaknesses identified in threat modeling. These seamless integration enables developers to work on security work items as part of their workflow, the same way how they work on business user stories.
And developer only needs a browser to leverage the power of CyberSage.