Threat Modeling is essentially a collaborative activity where the business and the security team sits together to figure out the attack surface and related threats for the threat modeling use case they have computed. While the security team is most often successful in figuring out common security threats related to authentication, authorization, usage of vulnerable frameworks, error handling, cryptography, data handling etc when it comes to doing threat modeling during the design stage of a software, it is usually very difficult for a legacy application.
But then, why done one need a threat modeling for a legacy application? Isn’t it too late by then? Yes, but not that it cannot be done. Threat Modeling is a late pickup and while companies have adopted to vulnerability assessment, SAST, DAST etc, readily, they haven’t done so for threat modeling because, its effort intensive, poorly understood, pre-requisites are most often not there and especially in the agile/devsecops age, it is practically impossible to adapt to.
But what if I tell you that you can do automated threat modeling at least for the deployment architecture for your application by introducing a network discovery tool in your application environment, let it sort out the as-is communications and then feed the results to a threat modeling tool which can figure out the threats with least possible manual intervention. This is one of the best I have seen in a while and would recommend to any organization where they are looking to see quick wins with minimal effort.
Introducing Threat Modeler collaboration with Avocado to you. Try it out to see the results. (P.S I am neither associated with Threat Modeler nor Avocado).
A Security Consultant's Diary 