Scaling Your Threat Modeling Program using GenAI | by Renae Kang | Sep, 2024

In this security industry, the manual processes that drive traditional threat modeling methods are increasingly inadequate for managing the growing scale and complexity of today’s products and services. Lack of scalability leaves gaps in security, undermines customer trust, and hinders the ability to track patterns and provide consistent guidance due to insufficient data collection. The advent of generative AI (GenAI) further exposes the limitations of manual methods as it opens the door to more sophisticated and harder-to-detect threats.

Adobe has an ongoing commitment to explore and adopt state-of-the-art capabilities as our business and security practices evolve. We recognize that as we continue to grow and scale as a company, simply relying on manual threat models would lead to significant bottlenecks. To address these challenges and improve our overall security posture, we transformed our threat modeling program by integrating GenAI capabilities.

By leveraging automation and AI-driven insights, Adobe Security’s new GenAI-based threat modeling platform transforms the threat modeling process throughout Adobe by addressing the scalability, sophistication, and data collection issues inherent in traditional manual threat modeling methods. It empowers Adobe product and engineering teams to create robust threat models with ease, while ensuring our teams have access to best practices and expert guidance necessary to protect our digital ecosystem.

Here are the benefits of leveraging automation and AI-driven insights as part of our threat modeling platform:

Simplifies the Security Process

GenAI analyzes workflow information from user-provided design documents, immediately identifies potential threats based on Adobe-specific context, and maps them to known weaknesses (Common Weakness Enumerations or CWEs) and common attack patterns (Common Attack Pattern Enumeration and Classifications or CAPEC IDs). This automation is a significant value addition for product teams because it allows them to focus on innovation without compromising security.

Provides Immediate, Actionable Feedback

The platform provides immediate, in-line, real-time feedback on detected threats and offers clear, specific, and actionable mitigation strategies based on security best practices, which empowers our product teams to remediate the risks before they can be exploited by adversaries and helps to implement security measures effectively and efficiently.

Gives Product Teams More Autonomy

We integrated security policies and best practice documentation directly into the platform to give teams the autonomy to manage the security of their products while being supported by expert guidance. To prevent over-reliance on AI, we established a protocol for critical reviews that require human involvement. In these scenarios, hands-on consultation with a security researcher includes manual threat modeling to help identify potential threats. This process ensures that complex and high-risk scenarios are thoroughly reviewed by human experts armed with AI-driven insights that they assess, assure, and action as part of their threat modeling capabilities.

Improves Collaboration and Visibility

The platform includes a user-friendly, self-service interface that acts as the centralized hub for all threat modeling activities. Product teams can create and share threat models within their team, enhancing collaboration. Since the threat model is a living document, it can be updated as the application evolves. Product teams can initiate updates whenever new features, infrastructure changes, or libraries are introduced. Teams also have the flexibility to determine how frequently they update the threat model. All threat models are stored in a central repository, enabling us to identify recurring patterns and develop targeted security solutions helping improve protection across all Adobe products and services.

Since deploying the automated GenAI-based threat modeling platform, we’ve detected over 400 actionable threats, providing product teams with clear mitigation strategies to promptly address these vulnerabilities. The result is an enhanced security posture and reduced potential risk for Adobe.

In addition, this new user-friendly interface has led to a 160 percent increase in productivity and efficiency across our user interface (UI) each month. Additionally, this streamlined process means that 80 percent of all threat models are now created in under 30 minutes, allowing our teams to focus more on innovation and less on the intricacies of threat modeling.

Overall, Adobe Security’s GenAI-based threat modeling platform has empowered our product and engineering teams to be more proactive and efficient in addressing security threats, benefiting not only Adobe, but ultimately our customers and partners by improving the security of our digital ecosystem. As we look ahead, our focus remains on advancing the platform with AI-driven capabilities, integrating deeper security insights throughout the development process, and continuously exploring new ways to anticipate and mitigate evolving threats in real time.