Abstract
The software systems of modern architectures are characterized by high heterogeneity and by the use of a model that delegates the control of individual components to third parties, making these systems more vulnerable to cyber-attacks. As a consequence, best practices, such as the Security-by-Design development methodologies, suggest taking into account security all over the systems life cycle, starting from the very early stages (e.g. from initial requirement analysis). Thus, one of the most relevant practices is Threat Modeling (TM), i.e. the activity devoted to identifying the possible threats that may affect the system. According to most security-related best practices, TM should be done as early as possible, in order to help in the requirement elicitation. Threat Modeling is a complex activity, that requires security experts with consolidated skills, able to predict and anticipate the possible issues: as a consequence, it is a costly activity, both in terms of time and money. Due to the continuous need of enforcing security, the effect of new regulation and the wide diffusion of ICT systems, there is a recent growth of tools and techniques that support and aims at automatizing Threat modelling activities. This work illustrates the approach adopted by our research team and compares the results of our technique with two other existing tools, in order to offer a brief overview of the state of the art of threat modelling automation techniques and of state of art limits and open research topics. It is worth noting that our comparison does not aims at being complete and focuses only on open tools (or on their free/community version), but offers a basis for understanding the progress of security automation processes in terms of threat modelling.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
- 2.
Full threat modelling comparison is available on request.
References
Microsoft threat modeling tool (2018). https://docs.microsoft.com/it-it/azure/security/develop/threat-modeling-tool
Abela, R.: Statistics show why WordPress is a popular hacker target (2020)
Ansari, M.T., Pandey, D., Alenezi, M.: STORE: security threat oriented requirements engineering methodology (2019)
Arsac, W., Bella, G., Chantry, X., Compagna, L.: Multi-attacker protocol validation. J. Autom. Reason. 46(3–4), 353–388 (2011)
Bhattacharya, D.: OWASP threat dragon review (2020)
Casola, V., Benedictis, A.D., Rak, M., Villano, U.: Preliminary design of a platform-as-a-service to provide security in cloud. In: Proceedings of the 4th International Conference on Cloud Computing and Services Science - CLOSER, pp. 752–757 (2014)
Casola, V., De Benedictis, A., Rak, M., Rios, E.: Security-by-design in clouds: a security-SLA driven methodology to build secure cloud applications. Procedia Comput. Sci. 97, 53–62 (2016). 2nd International Conference on Cloud Forward: From Distributed to Complete Computing
Casola, V., De Benedictis, A., Rak, M., Villano, U.: Toward the automation of threat modeling and risk assessment in IoT systems. Internet Things 7, 100056 (2019)
Drake: Threat Modeling. https://owasp.org/www-community/Threat_Modeling
Frydman, M., Ruiz, G., Heymann, E., César, E., Miller, B.P.: Automating risk analysis of software design models. Sci. World J. 2014, 805856 (2014)
Goodwin, M.: OWASP Threat Dragon. https://github.com/owasp/threat-dragon/releases
Granata, D., Rak, M.: Design and development of a technique for the automation of the risk analysis process in IT Security, p. 14 (2021)
Joint Task Force Interagency Working Group: Security and privacy controls for information systems and organizations. NIST (2020)
Kornecki, A.J., Janusz, Z.: Threat modeling for aviation computer security. CrossTalk 28, 21–27 (2015)
Musman, S., Turner, A.J.: A game oriented approach to minimizing cybersecurity risk. Saf. Secur. Stud. 8, 212–222 (2018)
OWASP: OWASP Automated Threats to Web Applications (2018)
OWASP: Threat Modeling Manifesto. https://www.threatmodelingmanifesto.org/
Rak, M., Salzillo, G., Granata, D.: EssecA: an automated expert system for threat modelling and penetration testing for IoT ecosystems. Comput. Electr. Eng. 99, 107721 (2022)
Schaad, A., Borozdin, M.: TAM: automated threat analysis. In: Proceedings of the 27th Annual ACM Symposium on Applied Computing, SAC 2012, pp. 1103–1108. Association for Computing Machinery, New York (2012)
Singh, S., Tu, H., Allanach, J., Areta, J., Willett, P., Pattipati, K.: Modeling threats. IEEE Potentials 23(3), 18–21 (2004)
Tatam, M., Shanmugam, B., Azam, S., Kannoorpatti, K.: A review of threat modelling approaches for apt-style attacks. Heliyon 7(1), e05969 (2021)
Xiong, W., Lagerström, R.: Threat modeling - a systematic literature review. Comput. Secur. 84, 53–69 (2019)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Granata, D., Rak, M., Salzillo, G. (2022). Automated Threat Modeling Approaches: Comparison of Open Source Tools. In: Vallecillo, A., Visser, J., Pérez-Castillo, R. (eds) Quality of Information and Communications Technology. QUATIC 2022. Communications in Computer and Information Science, vol 1621. Springer, Cham. https://doi.org/10.1007/978-3-031-14179-9_17
Download citation
DOI: https://doi.org/10.1007/978-3-031-14179-9_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-14178-2
Online ISBN: 978-3-031-14179-9
eBook Packages: Computer ScienceComputer Science (R0)