Systematic analysis of automated threat modelling techniques: Comparison of open-source tools

Abstract

AbstractCompanies face increasing pressure to protect themselves and their customers from security threats. Security by design is a proactive approach that builds security into all aspects of a system from the ground up, rather than adding it on as an afterthought. By taking security into account at every stage of development, organizations can create systems that are more resistant to attacks and better able to recover from them if they do occur. One of the most relevant practices is threat modelling, i.e. the process of identifying and analysing the security threat to an information system, application, or network. These processes require security experts with high skills to anticipate possible issues: therefore, it is a costly task and requires a lot of time. To face these problems, many different automated threat modelling methodologies are emerging. This paper first carries out a systematic literature review (SLR) aimed at both having an overview of the automated threat modelling techniques used in literature and enumerating all the tools that implement these techniques. Then, an analysis was carried out considering four open-source tools and a comparison with our threat modelling approach using a simple, but significant case study: an e-commerce site developed on top of WordPress.