Shostack + Friends Blog


Chuck, Acme, and Remediation Avoidance

Threat modeling really CAN save you money, just ask Chuck! man sitting on gray arm chair using silver laptop computer on building balcony at daytime

Back in April, Forrester published The Total Economic Impact™ Of The IriusRisk Automated Threat Modeling Platform. They looked at a composite of three organizations that moved from ad-hoc, manual threat modeling to automated threat modeling. One of the report’s key findings was that cost savings from “remediation avoidance” was the biggest cost saving category with $4.9 million over a three-year period. The others included (all over three years):

  • Automation efficiencies ($1.8m)
  • Increased productivity in compliance and reporting ($3.9m)
  • Productivity from integration ($108k)
  • Avoiding security incidents ($35k)

That’s a lot of money. With companies struggling right now, the cost savings increases your margins this year. And to be honest, I think that the avoidance of security incidents savings are surprising, and assume that the pen testers who find these things will be the kind that get forgiveness and negotiate rules of engagement before planting their flag.

That said, you should be asking the question: How do I get those savings?


Let’s think about a hypothetical company, Acme. Chuck Jones is working on an app for drone-delivered anvils. He knows that his primary user-base are coyotes attempting to catch road runners. Chuck and Acme didn’t realize that road runners only survive in this crazy world because of their mad skills — now including compromising mobile apps.

Acme has heard angry complaints about these problems, and now pays a lot for penetration testing. They get lots of ugly findings when they think they’re ready to ship. This leads to big, shouting escalations and difficult fights over what to fix first. They’re going to spend several months to a year trying to remediate all these things while still running the business, and, frankly, writing more vulnerable features.

When threat modeling backfires

After this pen test, The Powers That Be (TPTB) at Acme send Chuck a memo saying that he needs to threat model. Maybe they’ve heard about it from the pen testers, or they’ve seen it in some cyber resilience compliance requirement. Since TPTB doesn’t have a plan for rolling out the program, they just say “we’ll figure that out later.”

Standing woman with arms outstretched in a questioning stance apparently upset at her seated male coworker who is looking away and is resting a hand on top of his head.

Chuck rolls his eyes. He’s been told to make this new “threat modeling” thing happen, but he doesn't know why. Worse, no one’s given him resources to successfully complete the task. Now he’s given another item on an already long “to do” list. Without the right skills and resources, Chuck flails like a falling coyote, and TPBT that sent the memo lose credibility.

Without a plan, threat modeling just becomes another waste of time.

Threat modeling is a journey, not a destination

Going from no threat modeling to good automated threat modeling takes time. If Acme had planned better, they would have given Chuck some resources and time to learn.

Let’s look at what happens if Acme gives Chuck some free resources, like our Fast, Cheap and Good: An Unusual Tradeoff Available in Threat Modeling whitepaper.

He learns that if he’d asked “what could go wrong” he’d have realized:

  • Road runners are really good at modifying app data to protect themselves from flying anvils.
  • Gravity is a coyote’s natural enemy.
  • A coyote can overtake heavier objects to fall faster and get squished by them.

If he’d thought about these threats as he designed the app, he’d have been able to address them. Customers would be happier, and less likely to squash themselves. There’d be fewer late nights working to re-work the laws of gravity.

Now that Chuck has proven to Acme that even lightweight threat modeling can save money and time, Acme decides to give him a training course so that he can uplevel these skills and apply them consistently to all software he develops.

Automating for road runner speed

To go back to the report, manual threat modeling is hard to scale. With a small team of five or ten developers, a threat modeling course alone may be enough. With small teams, you can manage the ambient information, or shared knowledge, that people have when working together on a project. As your team grows, ambient information needs to become more crisp so you can create consistency.

If we look at the report, its description of the composite company is:

multinational financial organization with headquarters in North America and Europe, and it generates revenues of $10 billion to $20 billion each year. It has an employee base of 50,000 to 100,000; the software security group consists of 50 security architects and 150 security champions. There are a total of 1,000 developers. The composite organization has a portfolio of 1,000 products.

With automation, you formalize the work and share the information across all these different people, but that doesn’t mean you can just use technology. That’s different from, say, static analysis, which can find insecure API use without a code review.

Winding road through desert canyon at sunset, taken at slow shutter speed to create streaks of light from a passing car.

If your team only relies on the technology, you’ll be able to bring your threat modeling time down to eight hours from eighty. The question is whether that automation delivers the fullest value? If your team doesn’t understand how to threat model, then they won’t be able to gain the full benefit.

You’ll be achieving some remediation avoidance, saving some time and money. With the right skills to manage the automation, you optimize the value of that technology investment.

Even more importantly, you want the different people within your organization to have the appropriate skills for their jobs. This means that you want to look for courses focused on:

  • Engineers who aren’t security specialists.
  • Security architects who want an in-depth course with information about things like tools, kill chains and risk management
  • Security champions who introduce, lead, and evaluate threat modeling work

With the right skills, you’ll find that your team can optimize the technology, reducing the time and costs of remediating product security laws with:

  • Developers highlighting issues and implementing controls prior to them ever being an issue in the code
  • Security teams receiving the list of tasks before any code is written
  • Security champions creating metrics that prove the business value of threat modeling and the tool

People skills support technology investments

Avoiding the time and money spent on remediating issues is one of threat modeling’s key business values. It’s the digital version of “measure twice, cut once.” If you’re just getting started on your threat modeling journey, you might want to check out some of our courses to help your team build their skills. If you’re looking for something to help a larger team, we also provide customized corporate trainings that can include incorporating your real systems and working with any threat modeling technologies you have.

To learn more about what’s available or to get notified when new courses go live, contact us today!

Primary photo by LinkedIn Sales Solutions on Unsplash.
Photo "Conflict Avoidance" from
Photo by Frankie Lopez on Unsplash.