In November 2023, SecureFlag launched ThreatCanvas - a revolutionary AI-powered tool designed to automate Threat Modeling. And now, after receiving the most exceptionally positive feedback we could have hoped for, we’re thrilled to expand its capabilities even more with the launch of Risk Templates, thus furthering the capability to streamline the Threat Modeling process.
As a recap, ThreatCanvas is able to generate a Threat Model automatically from a textual description in a matter of seconds, thereby fitting into the developer’s workflow without adding to their workload. It not only identifies potential threats but also suggests corresponding controls, helping developers and their organizations integrate security measures as early as possible in the software design and development process.
Exploring the New Risk Templates
The introduction of Risk Templates is a game-changer in automated threat modeling. These templates guide the tool to focus on specific risk areas, ensuring relevant and targeted threat identification.
Here’s a brief overview of each of the risk templates now supported by ThreatCanvas:
- OWASP Top 10: This template aligns with the widely recognized OWASP Top 10, a list of the most critical web application security risks. It helps developers focus on common vulnerabilities like Injection flaws, Broken Authentication, and Cross-Site Scripting.
- PCI-DSS This template is tailored for applications that handle cardholder data, aligning with the Payment Card Industry Data Security Standard (PCI-DSS). It emphasizes the protection of payment information and compliance with industry regulations.
- HIPAA: The Health Insurance Portability and Accountability Act (HIPAA) template is crucial for applications dealing with healthcare data. It ensures that ThreatCanvas focuses on the privacy and security of sensitive health information.
- STRIDE: Standing for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege, the STRIDE model is Microsoft’s comprehensive approach to identifying security threats in software applications.
- LINDDUN: This template is aimed at helping identify data protection and privacy risks, ensuring that applications comply with privacy laws and guidelines.
Future Roadmap: Custom Risk Templates
SecureFlag plans to introduce the ability for customers to develop their own library of Threats and Controls. This will allow the creation of tailored risk templates, enabling organizations to focus on specific threats and controls based on their unique requirements or compliance needs.
ThreatCanvas Reminder: Threat Modeling is a crucial activity
It’s no secret - developers are time-poor, and training is quite often waved away with exasperation. However, without correctly coded - read, securely coded - applications, mounting costs have a long tail!
Seamless Integration with Development Tools
SecureFlag has successfully integrated ThreatCanvas with Jira, and plans are underway to extend this integration to Azure Boards. This alignment ensures that security is a consideration from the very beginning of the development lifecycle, making it easier for developers to incorporate necessary security measures without disrupting their workflow.
Integration with SecureFlag Training
ThreatCanvas is fully integrated with SecureFlag’s training platform, providing developers with practical labs for the identified threats and controls. SecureFlag’s overarching objective is to naturalize the training process so that it is simply accepted as a core aspect of a developer’s day-to-day responsibilities when writing code. By integrating ThreatCanvas with SecureFlag’s training, we are enhancing the learning experience by mitigating threats before they can even be inadvertently created in the live environment.
With the introduction of Risk Templates on ThreatCanvas, developers and their organizations can now ensure that their designs are secure and compliant from the outset, saving a ton of downstream resources spent on security rework and, inevitably, strengthening security as a whole.
Stay tuned for more exciting updates as we continue to enhance ThreatCanvas and redefine Threat Modeling, making it - finally! - an accessible and essential part of software development.
