DayBlink Consulting implemented an automated threat modeling solution for consumer facing applications for a large Media company.
Read the full case study here: Automated Threat Modeling
Introduction
A Media & Communications client faced a daunting challenge: scaling its threat modeling efforts to keep up with rapid product development. It needed a solution that would allow thorough security reviews without delaying product launches. The DayBlink Consulting team managed the budgeting, planning, design, integration, implementation and operationalization of an automated threat modeling program. Working closely with the technology solution provider, we enabled the client to dramatically increase the volume of threat models completed annually. This new system allowed for recurring threat models to run automatically and security findings to be auto-assigned to app owners, while maintaining the same headcount of threat modeling security analysts.
Problem
The client’s security team lacked an efficient process to establish threat models due to personnel constraints.
The client’s security team was stretched thin, lacking the personnel needed to conduct threat models for all products across the enterprise. This shortage often resulted in products being launched without thorough security reviews, leaving potential vulnerabilities unaddressed. The long wait times for threat modeling led to delays in product releases, causing frustration among application teams who saw security as a blocker rather than a partner.
Furthermore, the comprehensiveness of security reviews varied, leading to inconsistent threat modeling assessments. The manual process to complete threat models was inefficient and inflexible. This process significantly strained resources and prevented the team from completing its target number of threat models each year.
Solution
Our team successfully developed an automated threat modeling solution by creating a robust full-stack application that transformed survey form responses into actionable tasks.
DayBlink Consulting transformed our client’s threat modeling program by leading the development of a full stack application that automatically converted survey form responses into Jira tasks. The solution enabled identification and remediation of threats prior to application launches, significantly reducing manual processes and ensuring product launch readiness.
To ensure the project’s success, we led a program management effort that included, crafting a program charter, detailed plan, timeline and governance structure. The team then designed future-state automated processes and workflows, along with the logical and physical architectures. We managed both vendor deployment and custom development to integrate a SaaS tool into the holistic solution. We drafted an operations model for continuous improvement and created over 30 dashboards, runbooks,and process documents to guide the solution’s operationalization. This model provided a clear framework for ongoing maintenance and optimization.
Outcome
Security teams were able to complete 10x more threat models per year without increasing headcount
In the first year, the security teams were able to review over 100 applications, including all critical and high-risk systems, more than tripling velocity. The total cycle time for completing a threat model, involving both security and product engineers, was nearly halved. This efficiency not only sped up product development but also received positive feedback from the product teams for its ease of use and user-friendly experience. The volume and consistency of vulnerability findings increased, and the distribution and communication of findings to the respective owners improved, enhancing the overall security posture of the organization.
The client also saw a reduction cost of each threat model by more than 80% due to reduced overhead and time spent in administrative activities (e.g. scheduling, meetings, document share). Annual capacity increased to cover nearly 1000 components annually allowing for all ~250 crown jewels systems and more than 700 priority components to be evaluated regularly.