“Threat models are visual representations of threat attack vectors that posit tangible, quantifiable security and operational risk across mission critical organizational assets such as cloud,infrastructure, applications, mobile and embedded systems.“
Hi Archie Please tell us about your role at ThreatModeler and how this company was established?
I am the CEO and founder. I am an industry expert in application security having worked as a thought leader and executive in multiple roles of engineering and security such as security consultant, engineer, educator, and architect for over 20+ years. I established ThreatModeler to provide organizations an automated, easy-to-use and actionable SaaS platform for compressive application, mobile, embedded, iOT and cloud asset threat modeling techniques using industry frameworks over traditional labor intensive ways of the past. ThreatModeler has become the #1 platform over the past 13 years since inception.
What are the core offerings/ What kind of problems do you solve for your customers?
Our core offerings are ThreatModeler, CloudModeler and IaC-Assist, to address the full spectrum of reducing threat drift from code to cloud within the DevSecOps lifecycle so that design flaws are identified, prioritized and remediated prior to code developed and deployed.
What are threat models? How do these models enable organizations to enforce stronger security protocols?
Threat models are visual representations of threat attack vectors that posit tangible, quantifiable security and operational risk across mission critical organizational assets such as cloud, infrastructure, applications, mobile and embedded systems. The ThreatModeler platform saves organizations time and human capital intensive operations through automation in real-time for effective decision so that vulnerable design patterns and risky or deficient security controls can be remediated early during design phase of any development lifecycle and not as an afterthought when it may already be too late for any meaningful remediation. As such, threat models help strengthen security controls by default and help organizations meet compliance with regulatory controls as well.
What is the origin of the concept – Infrastructure as Code (IaS)? How does it make cloud migrations and deployment more secure and safer?
Infrastructure as Code (IaC) is a pretty clever idea for those in DevOps: use a descriptive coding language to automate the provisioning of IT infrastructure. The challenge is, just because you manage your infrastructure with code, doesn’t mean that infrastructure is secure. And that’s where IaC-Assist comes in.
IaC-Assist, which loads right in your IDE (development environment), enables engineers to implement security policies and controls without having to leave their coding environment. IaC-Assist identifies design flaws in code, explains the issue and provides just-in-time contextual guidance for revision. This enables DevOps teams to continuously evaluate their Infrastructure-as-Code on-the-fly, while simultaneously eliminating an entire security sprint, IaC-Assist brings security into the development environment, providing real-time guidance as DevOps teams write Infrastructure-as-Code.
How does a company like ThreatModeler fit into the cybersecurity management landscape that caters to the web, mobile, edge and IoT businesses?
ThreatModeler is at the heart of the cyber security ecosystem, particularly in the DevSecOps lifecycle where design flaws can be identified, prioritized and remediated through risk-quantified threat models before code is written and deployed. A single design flaw can lead to costly multiple code defects and at the volume and velocity of code being written for today’s business needs, the sooner a design flaw is identified and remediated prior to code being written, the more secure such assets as web, mobile, edge and IoT are by default. ThreatModeler value proposition is ’secure by design, secure by default’.
Could you specifically highlight your work in the IoT segment?
ThreatModleler has a number of household customers that develop hundreds of IoT specific threat models across consumer goods, embedded systems, and medical devices annually.
Please tell us about the growing challenges that CIOs/ CISOs have to deal with in their DevSecOps toolchains?
There is a proliferation of DevSecOps tooling in most organizations’ toolchains for code review and code testing. However these tools are mostly overlapping in functionality, and focus on security defects in code only. CIOs/CISOs are spending / have spent a fortune on these solutions over the past many years but technical security debt in is significantly on the rise for many reasons such as: Most of these toolchains are not well integrated with each other, their input/outputs are mismatched, they are slow and introduce latency into the DevOps lifecycle which typically implies that developers ignore vulnerabilities identified and therefore, remediation. And, simply dropping in a new tool without adapting the culture of the organization as it relates to DevSecOps will lead to failure. The volume of code being written, the agility of sprints in DevOps and the need for security to stay abreast of business demands through meaningful solutions that are low friction, low latency, highly accurate and high fidelity remain on top of CIO/CISO’s minds.
What are your thoughts on the role of AI and machine learning in the cybersecurity and threat intelligence industry?
Expect organizations, vendors and threat actors to all embed sophisticated AI and ML in both defensive operations and offensive attacks in virtually every aspect of cyber security, even human intelligence (HUMINT) let alone digital threats. There is plenty of data to be harvested whether on the dark web or in plain sight. It’s a function of bandwidth, time and motivation.
- Burn the midnight candle or soak in the sun?
- Soak in the sun
- Coffee, or Tea?
- Your favorite Snyk offering that you want everyone to know about?
- First memorable experience in your career as a technology leader?
- Earning employees’ respect as first-time CEO
- One thing you remember about your employee (s):
- Most useful app that you currently use:
Thank you, Archie ! That was fun and we hope to see you back on cioinfluence.com soon.
[To participate in our interview series, please write to us at firstname.lastname@example.org]
Archie Agarwal is the Founder and CEO of ThreatModeler. Archie has over 20 years of experience in risk and threat analysis. Previously, at WhiteHat Security, as director of education and thought leader he specialized in threat modeling, security training and strategic development. He has also held positions at PayCycle (acquired by Intuit), Citi, HSBC and Cisco. Archie is a Certified Information Systems Security Professional (CISSP) and is SANS GWEB certified.
ThreatModeler Software, Inc.’s suite of products empowers DevOps to measure their threat drift from code to cloud. With a fraction of the time and cost tied to other tools, users can design, build and validate threat drift from development to deployment. Teams can instantly visualize their attack surface, understand security requirements and prioritize steps to mitigate threats. CISOs can make critical security-driven business decisions to scale their infrastructure for growth.