ThreatModeler Enterprise

Are mitigation steps associated with specific threats?

Through customization, mitigation steps can be associated with specific threats.  With the Enterprise Deployment Model, customers can perform this customization in-house, use MyAppSecurity’s Professional Services, or leverage a MyAppSecurity partner.

Another important mitigation step is enabling developers to apply pre-approved code snippets during the coding process.  While there are out-of-the-box code snippets available in ThreatModeler for certain development languages, custom code snippets can also be created to match any development language. Customers can use MyAppSecurity’s Professional Services to provide code snippet customization, leverage a MyAppSecurity partner, or perform the customization in-house

Can threat models be built for applications or devices that are not web-based?

Yes, ThreatModeler is customizable and can be adapted to other applications or devices such as ATMs, mobile devices, medical devices, etc.

Can ThreatModeler help measure the progress of our security initiatives?

ThreatModeler’s dashboards, trending, and vulnerability comparison charts can all be used to measure the progress of security initiatives.

Can ThreatModeler integrate with other technologies and security tools such as bug trackers, WAFs, GRC applications, VA scanners and services, etc?

Yes, ThreatModeler has a bi-directional, web services API that can be used to integrate with other tools and technologies. Customers can use MyAppSecurity’s Professional Services to provide integration (insert link here?), leverage a MyAppSecurity partner, or perform the integration in-house.

Does ThreatModeler support role-based access control?

Yes, there are 3 different role classifications that can be used to define access to ThreatModeler’s functionality.

Does ThreatModeler take into account the underlying infrastructure linked to applications?

Yes. ThreatModeler provides an out-of-the-box secure hardening checklist for infrastructure components and through its ability to integrate with VA tools, can verify if these guidelines have been met.

How are threats identified in applications?

ThreatModeler’s Intelligent Threat Engine (ITE) correlates threat data from the built-in Threat Library and automatically predicts where threats exist.

How can ThreatModeler help prioritize mitigation efforts?

There are multiple variables associated with threats collected from threat models, and much of this information is useful in helping to prioritize mitigation.

ThreatModeler not only automatically identifies the relevant security controls to mitigate threats, it also provides a way to calculate the costs associated with mitigation, allowing you to align and prioritize mitigation efforts to match budget allocation.

ThreatModeler also automatically links into real-world breach data like the Web Hacking Incident Database (WHID) to gauge the likelihood of exploits and to help determine the potential technical and business impact of threats, if carried out by an attacker.

How is the ThreatModeler Enterprise Model deployed?

With the ThreatModeler Enterprise Offering, ThreatModeler software is installed and deployed at the customer’s location and is a user-based pricing model that includes a one-time fee for a perpetual license, professional services to build and customize designated threat models, along with annual fees for ongoing maintenance and support.

Once deployed, the ThreatModeler Enterprise Offering enables an automated, repeatable, scalable threat modeling process enterprise-wide.

How long does it take to build a threat model for a new web application using ThreatModeler?

Since there are no URLs available to help automatically identify and map components contained in a new web application, some basic information needs to be obtained from developers and security architects in order to build a threat model for a new application.

Once this information is made available, the time frame to build a threat model for a mid-sized web application for relatively new or less experienced users is 5-7 days. For more experienced “power users” of ThreatModeler, the time it would take to threat model a mid-sized application would be reduced to 2-5 days.

How long does it take to build a threat model for an existing web application using ThreatModeler?

For relatively new or less experienced users, the average time it takes to build a threat model for a mid-sized web application is 5-7 days. For more experienced “power users” of ThreatModeler, the time it takes to threat model a mid-sized application would be reduced to 2-5 days.

How long does it take to implement ThreatModeler Enterprise?

Implementation depends on the number, size, and complexity of applications a customer wants to threat model.

To speed up implementations, MyAppSecurity offers Professional Services and has threat-modeling specialists available to build and customize threat models on behalf of its customers or a MyAppSecurity partner could also be leveraged.

As a point of reference, MyAppSecurity’s threat modeling team is able to build between 30-50 threat models per month.

How often is the list of threats updated?

The Threat Library is updated quarterly and may include new threats that apply to web applications, and/or threats that apply to additional platforms supported by ThreatModeler, such as mobile applications or other devices.

Is there a document that compares the ThreatModeler SaaS Private Cloud Offering to the Enterprise Deployment model?

Yes, a Plan Comparison is available on our website.

What are the minimum system requirements for installing ThreatModeler on customer provided hardware and software?

1. Windows Server 2003/2008
2. IIS 7.0+
3. SQL Server 2005 Express or above
4. SMTP Server for Email notification
5. .NET Framework 4

What sources are used for importing threats into ThreatModeler’s Threat Library?

Threats are imported from well-known industry sources such as CAPEC, the WASC-TC, and OWASP. The Threat Library also allows users to add custom threats that are organization or industry-specific.

With the Enterprise Deployment Model, who are the potential users of ThreatModeler?

Typically, organizations favor a phased-in approach, whereby the core security team owns the threat modeling process, and their users are the security architects, security engineers, security analysts, and C-Level executives. Once threat models are completed for key applications, development teams can be integrated into the workflow, and usually this is done selectively and expanded as the process is formalized.

ThreatModeler SaaS Private Cloud Offering

Are mitigation steps associated with specific threats?

Through customization, mitigation steps can be associated with specific threats. With the SaaS Private Cloud Deployment, customization of security controls is included with the service.

Another important mitigation step is enabling developers to apply pre-approved code snippets during the coding process.  While out-of-the-box code snippets are available in ThreatModeler, custom code snippets can also be created to match any development language. Customers can use MyAppSecurity’s Professional Services to provide code snippet customization, leverage a MyAppSecurity partner, or perform the customization in-house.

ThreatModeler also automatically links into real-world breach data like the Web Hacking Incident Database (WHID) to gauge the likelihood of exploits and to help determine the potential technical and business impact of threats, if carried out by an attacker.

Can threat models be built for applications or devices that are not web-based?

Yes, ThreatModeler is customizable and can be adapted to other applications or devices such as ATMs, mobile devices, medical devices, etc.

Can ThreatModeler help measure the progress of our security initiatives?

ThreatModeler’s dashboards, trending and vulnerability comparison charts can be used to measure the progress of your security initiatives.

Can ThreatModeler integrate with other technologies and security tools such as bug trackers, WAFs, GRC applications, VA tools, etc?

Yes, ThreatModeler has an open, bi-directional, web services API that can be used to integrate with other tools and technologies. Customers can use MyAppSecurity’s Professional Services to provide integration, leverage a MyAppSecurity partner, or perform the integration in-house.

Does ThreatModeler support role-based access control?

Yes, there are 3 different role classifications that can be used to define access to ThreatModeler’s functionality.

Does ThreatModeler take into account the underlying infrastructure linked to applications?

Yes. ThreatModeler provides an out-of-the-box secure hardening checklist for infrastructure components and through its ability to integrate with VA tools, can verify if these guidelines have been met.

How are threats identified in applications?

ThreatModeler’s Intelligent Threat Engine (ITE) correlates threat data from the built-in Threat Library and automatically predicts where threats exist.

How can ThreatModeler help prioritize mitigation efforts?

There are multiple variables associated with threats collected from threat models, and much of this information is useful in helping to prioritize mitigation. It also provides a way to calculate the costs associated with mitigation, allowing you to align and prioritize mitigation efforts to match budget allocation

Equally important, ThreatModeler’s Intelligent Threat Engine (ITE) automatically predicts threats to applications and ranks them by risk. These threats are also mapped to security controls, which when implemented mitigate the risk.

ThreatModeler also automatically links into real-world breach data like the Web Hacking Incident Database (WHID) to gauge the likelihood of exploits and to help determine the potential technical and business impact of threats, if carried out by an attacker.

How does ThreatModeler scale?

The foundation for ThreatModeler’s scalability is its built in automation and repeatability. Examples include 1) the ability to automate and replicate the building of threat models, their individual components, and associated threats, 2) enabling collaboration between all stakeholders and 3) by leveraging threat data consolidated from well-known industry sources such as OWASP, CAPEC, the WASC-TC and applying it globally, to promote consistent and thorough security standards organization-wide.

How is the ThreatModeler Private Cloud Offering deployed?

ThreatModeler software is installed on a virtual machine at the customer’s location and threat-modeling data never leaves the customer network. This allows organizations to apply their current security policy and controls to ThreatModeler to enforce and maintain their security standards.

The ThreatModeler™ Private Cloud Offering (PCO), is an annual, SaaS-based, subscription model, with MyAppSecurity delivering threat modeling as an ongoing service by building, customizing, and maintaining customer-designated threat models. The ThreatModeler™ SaaS PCO enables an automated, repeatable, scalable threat modeling process enterprise-wide.

How long does it take to implement the ThreatModeler SaaS Private Cloud Offering?

Upon initiating the service, MyAppSecurity’s threat modeling team begins building threat models immediately. Full implementation depends on the number, size, and complexity of applications a customer wants to have threat-modeled.

As a reference point, MyAppSecurity’s threat modeling team is able to build between 30-50 threat models per month.

How often is the list of threats updated?

The Threat Library is updated quarterly and may include new threats that apply to web applications, and/or threats that apply to additional platforms supported by ThreatModeler, such as mobile applications or other devices.

If we were to subscribe to the ThreatModeler SaaS Private Cloud Offering, what security controls are in place to protect our data?

Since security is woven into the fabric of MyAppSecurity’s core business and our company’s reputation is at stake, we’ve established strong security procedures and controls that apply both operationally and to our personnel.

We are able to provide detailed information that describes our internal policies and procedures to prospective customers upon request, providing a Mutual Non-disclosure Agreement is in place.

Is there a document that compares the ThreatModeler SaaS Private Cloud Offering to the Enterprise Deployment model?

Yes, a Plan Comparison is available on our website.

What are the minimum system requirements for installing ThreatModeler on customer provided hardware and software?

1. Windows Server 2003/2008
2. IIS 7.0+
3. SQL Server 2005 Express or above
4. SMTP Server for Email notification
5. .NET Framework 4

What sources are used for importing threats into ThreatModeler’s Threat Library?

Threats are imported from well-known industry sources such as CAPEC, the WASC-TC, and OWASP. The Threat Library also allows users to add custom threats that are organization or industry-specific.

With the SaaS Private Cloud Offering Deployment, who are the potential users of ThreatModeler?

Typically, organizations favor a phased-in approach, whereby the core security team owns the process for overseeing the implementation of security controls, and this typically requires the involvement of security architects, security engineers, security analysts, and C-Level executives. Once threat models are completed for key applications, development teams can be integrated into the workflow, and usually this is done selectively and expanded as the process is formalized.

Leave a Reply