Application Threat Modeling Services

Is threat modeling a roadblock for your application development lifecycle when it should be an enabler? If it is, you’re not alone. Traditional threat modeling services no longer meet the needs of the modern development team that relies on speed and automation. Kroll helps development teams design and build internal application threat modeling programs to identify and manage their most pressing vulnerabilities.

Talk to an Expert
/en/services/cyber-risk/governance-advisory/threat-modeling-services service

In the early stages of the journey toward a secure software development lifecycle (SDLC), threat modeling plays the key role of identifying attack surfaces and entry points, and is often cheaper than in later stages due to minimal remediation costs. To avoid the perception of threat modeling as a delay in the SDLC, Kroll leverages a flexible framework that incorporates advanced tooling with seasoned intelligence. 

What Is Application Threat Modeling?

Application threat modeling is the analysis of an application to identify and mitigate potential design and or implementation weaknesses for the purpose of determining how to best protect it. Application threat modeling enables organizations to identify potential weaknesses in a system and pinpoint design and implementation issues that require mitigation.

At Kroll, we’ve created a framework that enables developers to perform application threat modeling guided by a knowledge base of templates, standards, common vulnerabilities, security controls and process documentation. By using a wide range of tooling, teams are able to achieve broad and reliable coverage of common vulnerabilities and provide verification of threat mitigation.

Application Threat Modeling Program

There are three essential components in an effective application threat modeling program. The Application Threat Modeling Framework provides the structure for each threat modeling process. Each process focuses on a different aspect and approach to application threat modeling. 

  • Threat Modeling Framework

    Provides the foundation of the Threat Modeling program. The framework defines and serves as a central resource for:

  • Threat modeling core concepts and terminology
  • Kroll’s threat modeling approach and processes
  • Internal threat modeling knowledge base
  • Threat modeling training material
  • Internal and external reference materials
  • Tools, templates and guides

 

  • Abuse Case and Business Logic Threat Modeling Process

    Focuses the threat modeling effort on identifying threats, weaknesses and vulnerabilities that are unique to the application and cannot be identified using automation. This process brings the required levels of depth in uncovering potential threats within complex business logic scenarios.

  • Common Weaknesses & Controls Threat Modeling Process

    Focuses on identifying system weaknesses and the controls to prevent them with the help of automation. The common aspect of this process refers to the core components of systems and the issues that may arise from insecure implementations. The process leverages tooling to help automatically identify common and accepted guidance, good practices and design patterns early in the development lifecycle.

 

Analyzing threats involves time and effort. Kroll’s approach to defining and implementing application threat modeling programs makes it easy for teams to adopt, see results and implement improvements.

The Keystone Principles

Progress Over Perfection

Striving to achieve perfection hinders progress and growth. Focusing on progress allows for the celebration of incremental improvements and removes the barriers associated with an often-unachievable state.

Automate Where Possible, Relevant and Valuable

The intent of automation is to increase efficiency. When choosing to use automation to solve efficiency problems, it is important that we assess the value and impacts on related processes and ensure that automating is relevant and generates value.

Value in Diverse Perspectives

Participation from a variety of people bringing a diverse set of experience, expertise and perspectives to the process yields higher quality and more comprehensive findings.

 

Application Threat Modeling Approach

There is no single best approach to threat modeling. The right approach for your team is the one that works; it has been adopted, is consistently practiced across the organization and results in changes that improve overall security posture.

When it comes to its application threat modeling services, Kroll aims to strike a balance that is accessible, scalable, educational, useful and agile. It’s integrated into two complementary processes supported by a defined methodology, guiding resources, standard operating procedures and tools.

 

Process 1: Common Weaknesses and Controls

Although systems differ in architecture, features and technology, many security-critical aspects are common.

Finding and addressing threats in each of these common areas follow well-known patterns and best practices.

Vendor solutions and tooling help automate this process and make application threat modeling accessible for all, and easy for any development team to implement.

 

Common Areas

  • Configuration and Deployment Management

  • Identity Management

  • Authentication and Authorization

  • Session Management

  • Input Validation

  • Error Handling

  • Cryptography

  • Client-Side Security

 

Process 2: Abuse Case and Business Logic

Abuse case and business logic threat modeling focuses on the unique application and system threats resulting from a business logic design. These types of attacks and vulnerabilities are not discoverable by automated solutions, as they lack the context to effectively identify the issue. 

Threat Modeling Part of a Cyber Risk Retainer

Kroll offers a robust but flexible Cyber Risk Retainer that can adapt to your business while providing you with prioritized access to Kroll’s elite digital forensics and incident response team to identify, respond, contain and remediate an incident. The retainer can include  threat modeling services as well as penetration testing, red team and tabletop exercises and even litigation support, regardless of your existing security stack.

Who We Are

Kroll’s solutions deliver a powerful competitive advantage, enabling faster, smarter and more sustainable decisions related to risk, governance and growth.

Serving clients in 140 countries across six continents, and spanning nearly every industry and sector, our proprietary data, technology and insights help our clients stay ahead of today’s complex demands.

Increased Cyber Resilience with a Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Frequently Asked Questions

Connect with us

Robert Deane
Rob Deane
Associate Managing Director
Cyber Risk
New York
Phone
Rahul Raghavan
Rahul Raghavan
Senior Vice President
Cyber Risk
Toronto
Jeff Macko is a Director
Jeff Macko
Associate Managing Director
Cyber Risk
Secaucus
Phone

See all servicesStay Ahead with Kroll

Valuation

Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Comprehensive investment banking, corporate finance, restructuring and insolvency services to investors, asset managers, companies and lenders.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.

Cyber


Cyber Risk and CFOs: Over-Confidence is Costly

Sep 13, 2022

by Greg MichaelsJames McLearyWilliam Rimington

Cyber


Q2 2022 Threat Landscape: Ransomware Returns, Healthcare Hit

Aug 10, 2022

by Laurie IaconoKeith Wojcieszek George Glass

Cyber


New MFA Bypass Phishing Method Uses WebView2 Applications with Hidden Keylogger

Jul 28, 2022

by Scott Hanson Mikesh Nagar, George Glass

Cyber


Optimizing the CISO and Board Roles in Heightened Risk Periods

Aug 05, 2022

by James McLeary Edward Starkie

Webcast


KAPE Intensive Training and Certification

Online Event Apr 12 - Dec 08, 2022 | Online Event