Virtualization Technology News and Information
GuidePoint Security AppSec 2022 Predictions: Threat Modeling and Software Supply Chain Security

vmblog predictions 2022 

Industry executives and experts share their predictions for 2022.  Read them in this 14th annual series exclusive.

Threat Modeling and Software Supply Chain Security

By Josh Wallace, GuidePoint Security

2021 has brought many things, but from an application security perspective, we've seen new standards from NIST and OWASP around threat modeling and we've seen the impact of supply chain attacks that have wreaked havoc on systems, industries and consumers. As we look to 2022, we can use the application security related events from 2021 as our guide for what's to come.

Threat modeling, threat modeling... and did someone say threat modeling!?!?

Following the Executive Order for Improving the Nation's Cybersecurity, the National Institute of Standards and Technology (NIST) put out their Recommended Minimum Standard for Vendor or Developer Verification of Code, which included six recommended technique classes for software verification. And in no surprise if you read the subhead for this section, threat modeling topped the list, which included automated testing, code-based analysis, dynamic analysis, check included software and fixing bugs. Additionally, NIST recommends that threat modeling should be performed "multiple times during development, especially when developing new capabilities, to capture new threats and improve modeling."

In addition to the publication from NIST, the Open Web Application Security Project (OWASP) has published a new version of the OWASP Top 10, the first new version since 2017. As part of this release, OWASP has added a new item to the Top 10, Insecure Design. This item focuses on design flaws within applications and advocates for the use of Threat Modeling and Architecture Reviews.

Most organizations are using the standards published by NIST and OWASP to drive their application security program. As a result, we are going to see a spike in threat modeling activities and tooling in the coming year.

The earlier you can identify design-related flaws and potential threats, as well as implement effective compensating security controls to mitigate those threats, the better you will be from both a security personnel's and an application owner's perspective. Since it ultimately helps both developers and security teams, threat modeling can also drive positive culture change between these organizations and viewpoints. Think about it... if you can identify design flaws and potential threats in applications BEFORE time is spent on application or feature development, that's a win for the development team. If threat modeling is performed from the start, it will help the security team drive relevant, subsequent security activities.

Threat modeling provides a win-win scenario by educating teams on the use of security leading practices, and allowing teams to scale their security efforts while avoiding costly design flaws that are difficult to fix once the application has already been deployed to production.

Greater emphasis on cybersecurity within the software supply chain

Another prediction for the coming year is that we will see more organizations focusing on supply chain security due to the attacks and breaches that we saw in 2021, as well as the Executive Order on Improving the Nation's Cybersecurity.

The big impact we will see is that organizations will be struggling to understand the 3rd party and open source libraries that are used in their software development. Tools in this space are increasing in maturity and many organizations will leverage these tools to start creating a Software Bill of Materials (SBOM) for many of their key solutions. Additionally, it will become a normal part of the procurement process to request an SBOM for solutions purchased from third party vendors. This will cause some friction between organizations and their suppliers as many technology suppliers have been hesitant to share this information in the past.

As this need to understand, manage, and document our own software supply chains grows, we're going to see organizations create new positions to support this need - particularly, software supply chain architects and teams that will manage this process internally and for the organization's suppliers. These teams will be responsible for monitoring software dependencies, documenting secure usage, approving new libraries, managing internal and vendor SBOMs and identifying risk to the organization based on this data.

There are several key players in the software composition analysis (SCA) space today and I think we'll continue to see new vendors emerge. The lead SCA vendors will need to scale and adapt to manage information provided by vendors as well. There is also opportunity here for new vendors to emerge in an adjacent space - we are already starting to see new vendors that have built products to consume SBOMs created by these SCA vendors and perform additional analysis to identify risks in these components, not just CVEs.


Organizations are writing more code than ever before. Not only this, but they are also deploying at a much faster pace as business needs are driving shorter release cycles. The only way that security teams can keep up with this deployment rate is to enable developers to write secure applications and prevent vulnerabilities earlier in the development lifecycle. As we increase our vendor and open source footprint, it is also critical that we understand the risks associated with these components and enable application teams to make better decisions.



Josh Wallace 

Josh Wallace is the Application Security Strategic Services Practice Lead at GuidePoint Security. Since 2004, his primary focus has been on helping organizations secure their products by building business-aligned application security programs and leveraging DevSecOps principles to embed security throughout the entire SDLC. He has extensive experience in application development, cybersecurity architecture, and application security consulting, specializing in DevSecOps and product security. He has led multi-million-dollar application security transformations crossing all areas of business and has consulted organizations of all shapes, sizes, and maturity. Josh's experience includes designing and building global application security programs, penetration testing, architecture reviews and threat modeling, malicious code detection, and leading organization-wide DevSecOps transformations.

Prior to GuidePoint, Josh served as the DevSecOps Practice Lead for a Big 4 consulting firm. In this role, Josh led a team of global security consultants to perform Agile security testing and malicious code detection for a multinational financial institution. Additionally, he was responsible for creating several innovative services, such as a Security-as-Code program and developing the foundations for "inner-loop" security. Josh's portfolio includes customers across multiple sectors, including hospitality, power and utility, tourism, healthcare, technology, and financial services.

Josh holds a Bachelor's degree in Psychology and an Associate's in Information Systems. He also holds several certifications including the SANS GPEN and Certified Ethical Hacker. He has presented at many industry conferences, including LASCON, CodeMash, Protect, and DevSecCon.

Published Monday, November 01, 2021 7:33 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2021>