Whenever I have talked about security issues, either as a member of a team, or consulting with a client, one of the questions I often get asked is “is this really a problem”?
Well, invariably, the answer from me is often “Yes”. But not without caveats. There are of course circumstances in which a potential security flaw might not be a priority. Financial concerns, feature release, time to market and other priorities might be first and foremost for a business.
Engineering teams have finite time and resources available to deal with any number of issues that might be uncovered, let alone those that might not be a problem…yet.
This is why I feel an activity like Threat Modelling can be extremely useful to engineering teams. It can and should be an activity that can be utilised at the inception of a project or creation of a product. It should also be performed periodically, especially when there is significant change in your applications and systems.
What is Threat Modelling?
OWASP describes Threat Modelling as being able to “identify, communicate, and understand threats and mitigations within the context of protecting something of value.”
The “something of value” is always going to be different, depending on who you are working with, and who matters within your organisation. It could be a system, network, application, service, or process. You could apply threat modelling to any number of scenarios.
It’s prudent to identify what is of value within your context. If you are working within a safety critical system, it would be to ensure that no security flaw results in a potential loss of life. If it is a financial system, it will likely be related to protecting financial assets, data, and even the data belonging to clients and customers.
Every context will be different, so every model will be different.
Approaches to Threat Modelling
How you approach your threat model will entirely depend on your context. The is no one size fits all approach to threat modelling that can act as a magic bullet for all your security issues and risks. However, there are some existing approaches that might be useful for you, and possibly utilise or adapt to your context.
Selecting the approach or methods you might want to use is as important as the process of threat modelling itself. You might wish to have a more quantitative approach, such as DREAD, or a qualitative approach such as STRIDE. Some approaches such as Data Flow Diagrams or Attack Trees create a more visual representation of your threat model. Others are more formalised tools, such as Microsoft SDL or OWASP Threat Dragon.
Diversity and Threat Models
Every stakeholder in your context will have a different perspective. As a result, it’s extremely important to have a diverse group of people in the room when you are threat modelling.
This should include diversity of humanity, as well as technical or business background. The more heads you have around the table, the more likely it is you will identify a variety of potential threats to your projects and applications.
If for example you are creating an app for dating or other social interaction, it would be prudent to seek advice on potential threats and risks to the intended users of such an application. As a white, middle aged, heterosexual male, I will not have a full perspective on the range of potential risks and threats to both technical and personal security.
For many years, dating applications and their users have been exploited by both criminals and abusers to target vulnerable people. Exploring the potential technical risks that might lead to such issues with various special interest groups, around race, gender, sexuality or potentially abuse in relationships would be extremely beneficial to the process.
Don’t assume that because you don’t perceive a potential threat, that one does not exist for another person or group of people. All our threat profiles are different. A great talk on Threat Modelling approaches and diversity by Saskia Coplans of Digital Interruption can be found here. She uses the example of the Death Star to great effect. Check it out.
Resources for Threat Modelling
OWASP Threat Modelling Cheat Sheet – this is a great starter document to discover more about threat modelling.
OWASP Threat Dragon – an open source threat modelling tool.
Microsoft SDL Threat Modelling Tool – The Microsoft Secure Development Lifecycle has its own threat modelling tool.
Adam also talks about threat modelling in relation to Star Wars in this video.