A security logo is shown on screen during a keynote address. (Photo by Ethan Miller/Getty Images)

ThreatModeler on Thursday launched the Threat Model Marketplace, a cybersecurity asset marketplace the will offer developers pre-built, field tested threat models for download for ongoing threat modeling initiatives and to help security teams with compliance.

The company said it plans to offer the service for free for at least 90 days. Development teams can use the service to help secure against threats across all major cloud environments, including, AWS, Microsoft Azure, and the Google Cloud Platform.

“Cloud has become so compelling because developers can self-service the use of so many IT resources, CSP managed services, and even applications,” said Archie Agarwal, founder and CEO of ThreatModeler. “With so much dynamism, security teams struggle to keep up with preventative threat modeling or architecture review. With the launch of ThreatModeler community, cloud-based threat models, not just diagrams, become equally as self-service for security engineers as the systems they’re modeling. It’s absolutely essential to keep pace with development evaluating risk continuously as systems are built and evolve.”

Craig Burland, chief information security officer at Inversion6, said lowering barriers of entry to get developers to use threat modeling was a shrewd tactic. Burland said offering pre-built models to speed analysis should also strike a chord with developers keen on moving fast. Burland said while this product offering won’t alter the trajectory of cloud security, it’s a sign of the growing awareness that solutions are needed to enable secure-by-design and true DevSecOps. 

“Threat modeling is one way to assess risk and incorporate security requirements into the development cycle,’ said Burland. “It’s one way, but not the only way. The key here is that developers start to consider security as a core element of their job. Writing performant code, efficient code, and reusable code are all laudable skills. It’s time the development community and product leaders include writing secure code as an expectation.”

John Bambenek, principal threat hunter at Netenrich, said many of the decisions made by security teams are subjective. Bambenek said we are often making our best guesses in what to spend, what to protect, and how to do it.

“Ideally, this is informed by experience, however, not everyone has access to experienced guidance,” Bambenek said. “This effort lets organizations at least get a start on how to understand threats to their environment so that they can make better decisions with the limited time and money they have.”