Has anyone experienced with integrating TM in automated pipelines?

  • 8 November 2022
  • 5 replies

Userlevel 3

It seems to me that with the growing number of tools supporting threat modeling or working with TMs in an automated fashion (IR,shiftleft,OTM) a lot of possibilities open up for integrating these in CI/CD or other workflows.

Are you aware of any implemented use cases in this direction? 

Are there any working examples for generating a TM (even for a small well understood domain) based on code or config changes for instance?

5 replies

Userlevel 2

A few things come to mind… 

  1. Many organizations have an inventory of all their applications (Application Portfolio Management (APM)). Some of these APM systems have the ability to document data classifications and the integrations the applications have to other systems. With this information, it is possible to automatically generate a DFD and come up with some elementary threats. Its a great starting point which uses automation. But human intervention is still required.
  2. With the adoption of SBOM, and now SaaSBOM, some providers are automatically creating SaaSBOMs through observations, using them as baselines, and performing anomaly detection. They’re also using the contents of the SaaSBOM to create a DFD and identity threats specific to the environment in which the services are running. The providers are not currently using OTM to my knowledge, but I’m pushing all providers in this space to adopt it. 
  3. There’s more than a few threat modeling as code solutions out there, and a few more that simply store their threat model inside version control. I envision a day where different modules that form an application could each have their own OTM checked into version control and an automated process that collects, and aggregates them into a model representative of the collective system. This is an idea my team is playing with and will likely start experimenting with it next year.
Userlevel 3

Hi @stevespringett

For the great input!

I have also thought about all the possibilities aggregated threat models could open up for a while now. Specifically, would each model use a risk representation that can be aggregated in a methodologically sound way (i.e., some appropriate quantitative/probabilistic model instead of the LOW-MEDIUM-HIGH triangle that could possibly lead to some very accurate enterprise-wide risk calculations. OK, at least in the sense of way better than L-M-H or counting CVSS…

Userlevel 3

*Thanks for the great input ;-)

*and experimented in the title... I should really pay more attention to auto-correct suggestions...

Userlevel 2

When I think about integrating threat modeling in a CI/CD process, there are 2 aspects: 1. Create the threat model automatically from code/artifacts etc.  and 2. Query the threat model to see whether it meets your criteria for good-enough before deployment.  

The first one is a tougher problem to solve, but SBOMs and IaC could make this easier.  The second one is much easier to solve, but of course it’s only acting as an automated security gate, and not actually creating the TM.  Still, could be valuable to improve awareness with dev teams and get TM into their normal workflows.

Userlevel 4

I’ve seen a couple of interesting open source projects, like threat playbook that automate pieces of a threat modelling process.


Please forgive because I don’t right now have time to research the actual tools (and I don’t remember which one threat playbook is)

Still, there’s one tool that kicks off a modelling ticket request every time UML (and other format) representations change.

another tool uses the catalog of threats to drive a test regime

I’m sure there are others, each addressing some aspect of the manual process through the DevOps chain.