ENGAGEMENT
A Media & Communications client faced the challenge of scaling its threat modeling efforts to keep up with rapid product development. It needed a solution that would allow thorough security reviews without delaying product launches. The cyber team also desired help designing and accelerating the budgeting, planning, design, integration, implementation and operationalization of an automated threat modeling program. Working closely with the technology solution provider, we enabled the client to dramatically increase the volume of threat models completed annually. This new system allowed for recurring threat models to run automatically and security findings to be auto-assigned to app owners, all while maintaining the same headcount of threat modeling security analysts.
PROBLEM
The client’s security teams were stretched thin, lacking the personnel needed to establish threat models for all products across the enterprise. This shortage often resulted in products being launched without thorough security reviews, leaving potential vulnerabilities unaddressed. The long wait times for threat modeling led to delays in product releases, causing frustration among application teams who saw security as a blocker rather than a partner. Furthermore, the comprehensiveness of security reviews varied, leading to inconsistent threat modeling assessments.
SOLUTION
To tackle these issues, we developed a full stack application that converted survey form responses into Jira tasks, ensuring that threats were remediated before app launch. We were responsible for program management, developing a program charter, plan, timeline and governance structure. We then led the design by building future-state automated processes and workflows, along with the logical and physical architectures. We managed both vendor deployment and custom development to integrate a SaaS tool into the holistic solution. Additionally, we created a metrics and operations model for continuous improvement, producing over 30 dashboards, runbooks and process documents to guide the solution’s roadmap and expansion.
RESULT
The impact of our solution was immediate and significant. In the first year, the security teams were able to review over 100 applications, including all critical and high-risk systems – more than tripling velocity. The total cycle time for completing a threat model, involving both security and product engineers, was nearly halved. This efficiency not only sped up product development but also received positive feedback from the product teams for its ease of use and user-friendly experience. The volume and consistency of vulnerability findings increased, and the distribution and communication of these findings to the respective owners improved, enhancing the overall security posture of the organization.