While they complement each other, there isn't a great deal of overlap between these two security practices, one is proactive, and the other is reactive. This article presents their objectives, scope, and why you should do both.
Breaches often exploit software vulnerabilities and misconfigurations to access systems, hence the importance of finding and mitigating these security issues in a timely manner. This is the role of vulnerability management. The sheer volume of reported vulnerabilities each year (over 25K in 2022 ) means that it is becoming increasingly challenging for most organizations to remediate, even the most critical among them, in appropriate time frames. This is where shifting the security left can offer huge advantages. Threat modeling is one of the main practices to shift security left and avoid vulnerabilities at later stages. Security concerns are addressed as early as possible in the SDLC (Software Development Life Cycle), which dramatically reduces cost and improves product quality .
NIST defines threat modeling as “A form of risk assessment that models aspects of the attack and defense sides of a logical entity, such as a piece of data, an application, a host, a system, or an environment” . Threat modeling is essentially the process that allows you to make the appropriate design, implementation, or deployment decisions to secure applications, software, and systems from the get-go. The OWASP definition adds “It works to identify, communicate, and understand threats and mitigations within the context of protecting something of value” .
Threat modeling is then a proactive stance to security where a systematic approach and the analysis of the probable threats and attacks are most likely to prevent vulnerable applications and systems down the road.
NIST defines vulnerability management as “An ISCM (Information Security Continuous Monitoring) capability that identifies vulnerabilities [Common Vulnerabilities and Exposures (CVEs)] on devices that are likely to be used by attackers to compromise a device and use it as a platform from which to extend compromise to the network” . Vulnerability management responds to the need of fixing vulnerabilities present on live production systems.
Vulnerability management is then a reactive process, and even with the best will of the world, organizations cannot possibly patch every single vulnerability in their systems, and the big majority will be falling behind in the remediation race . It’s been also shown that the attacker has the first-mover advantage, even when it comes to the most prevalent critical and high-severity vulnerabilities .
The key differentiator between the two processes is “timing”. Threat modeling proactively helps security teams visualize and analyze potential threats to the application under development, or an existing system (generally before release), using MITRE ATT&CK TTPs, for instance. Threat modeling will then recommend preventative countermeasures against these threats, not only to the developer but to all the other stakeholders as well.
Vulnerability management, on the other hand, scans to reveal existing vulnerabilities that are already present in the system (after release). The frequency at which vulnerability scans are performed might only be determined by compliance requirements, which would be on a quarterly basis for many regulations and standards, e.g., PCI, or ISO 27001. This is obviously not enough given the volume of reported vulnerabilities and will put the organization in a period of limbo that is all the attacker needs to breach the system.
How do they complement each other?
Cybersecurity has become a prioritization issue. Whether you’re threat modeling or scanning for existing vulnerabilities in your environment, the sheer number of possible threats and vulnerabilities makes it necessary to have an efficient prioritization approach. Threat modeling and vulnerability management can complement one another and work wonders together to prioritize what matters the most for your environment.
A threat generally takes advantage of a software vulnerability, a weakness, or a misconfiguration on target systems. Top exploited and exploitable security issues, as seen in the wild or in a given environment, can give a good idea about what the focus should be on in terms of threats and mitigations. On the other hand, threat modeling can also be used as a way to prioritize vulnerability patching. It gives vulnerability management teams a good understanding of relevant threats and how attackers work. Consequently, it helps identify which vulnerabilities in their environment are the most critical and should be prioritized for patching in order to avoid the most relevant threats or break potential attack paths.
While having a robust vulnerability management program is necessary, creating a mature cybersecurity posture does certainly not start there. Since 2017, the number of reported vulnerabilities hit an all-time high record every single year . Shifting the security left is more needed than ever. Organizations that are not using threat modeling are choosing to take an avoidable risk for both themselves and their customers. These two security practices do not replace one another, however, but they complement each other in a way that will reduce the attack surface in the most efficient manner possible.
Lamine is a security researcher at IriusRisk. A former academic and Marie-Curie research fellow, Lamine previously worked as a researcher and lead data scientist at cybersecurity vendors Symantec and Tenable. Lamine holds a Ph.D. in computer science and has been published in over 40 peer-reviewed journals and conferences. He also very much enjoys trekking and mountaineering.