Threat Modeling Insider – April 2024

Written by Laurent Dupont

Threat Modeling Insider Newsletter

34th Edition – April 2024

Welcome!

We’re back once again with another packed edition of our Threat Modeling Insider! 

This month’s edition features an article written by our very own Steven Wierckx, where he discusses using old-school security for modern threat modeling and why they are still very relevant today. Our curated content features a Telenor article on the security architecture build phase, and an article written by Google’s Cryptography team, focussing on Google’s threat model for post-quantum cryptography.

But that’s not all of course, let’s take a look at what else we have in store for this month’s edition:

Read our previous newsletters
Threat Modeling Insider edition

Welcome!

Threat Modeling Insider edition

We’re back once again with another packed edition of our Threat Modeling Insider! 

This month’s edition features an article written by our very own Steven Wierckx, where he discusses using old-school security for modern threat modeling and why they are still very relevant today. Our curated content features a Telenor article on the security architecture build phase, and an article written by Google’s Cryptography team, focussing on Google’s threat model for post-quantum cryptography.

But that’s not all of course, let’s take a look at what else we have in store for this month’s edition:

Read our previous newsletters

On this edition

Guest article
Retro Tech Tactics: Using Old-School Security for Modern Threat Modeling
Written by Steven Wierckx.

Toreon blog
Threat Modeling Playbook Part 4 – Strengthen your threat model processes

Curated content
Security Architecture Build Phase: Planning and building a defendable architecture

Curated content
Google’s Threat model for Post-Quantum Cryptography

Tips & tricks
Book tip: Security Engineering — Third Edition

Training update
An update on our upcoming training sessions.

Guest article

Retro Tech Tactics: Using Old-School Security for Modern Threat Modeling

By Steven Wierckx

As part of our job, we often read articles related to threat modeling. This is an excellent way to stay current with the latest trends and ideas and to discover where cutting-edge tools and techniques are being developed. Well-written articles on threat modeling are much less common than those on other security-related practices, such as secure programming and penetration testing. This, combined with my ongoing quest to uncover the complete history of threat modeling, often leads me to older articles—by old, I mean those published more than five years ago. Lately, I have discovered a few articles and resources that, while perhaps dated, contain a treasure trove of information and ideas still very relevant today.

I am embarking on a journey to discover an important concept or method in each of these earlier articles.

Today, I’m sharing some of these blog posts and resources and will demonstrate how they helped me grasp some concepts that are new to me.

It started with the article “Multiple Perspectives on Technical Problems and Solutions” by John Allspaw. Allspaw emphasizes that complex systems require multidisciplinary approaches and diverse perspectives to fully understand and effectively address issues. This well-known concept in threat modeling gains depth through his focus on dialogue and different forms of engagement, which provided me with ideas on how to refine my threat modeling process. Particularly, the aspect of ‘building confidence in the resilience of the solution’ intrigued me. The goal is clear, but how exactly would one achieve this?

At the beginning of the blog post, John also mentions a philosophy by Dan McKinley. The article “Choose Boring Technology” by Dan McKinley argues that businesses should prioritize using established, reliable, and well-understood technologies over newer, trendier ones. This aligns with my views as well—we are supposed to build resilient systems, not necessarily use the latest cutting-edge development framework unless it serves our goals. McKinley suggests that while it may be exciting to adopt the latest technologies, they often lead to unnecessary complexity, instability, and increased risk. Instead, he advocates for a pragmatic approach that focuses on tools and technologies with a proven track record of stability and support. Complexity and instability are, of course, enemies of a resilient system. Additionally, by choosing boring technology, businesses can minimize risks, reduce costs, and better focus on solving actual problems rather than constantly chasing the latest trends. However, from my personal experience, some very capable programmers and application architects are drawn to using the latest cutting-edge frameworks because it keeps their jobs interesting, and an organization might struggle to attract top talent to work on a system that uses only proven technology.

Combining both articles and sprinkling in some of my own experience, I would state the following concepts/rules to consider:

  1. Pragmatism over Novelty: Both articles advocate for prioritizing practicality and reliability over the allure of new and trendy technologies. They argue that while new technologies may seem exciting, they often come with risks and complexities that can outweigh their benefits. At Toreon, when teaching threat modeling courses, pragmatism is always emphasized—use the techniques that work well, discard everything else (this assumes you understand your own threat modeling process well).
  2. Focus on Stability and Reliability: McKinley and Allspaw stress the importance of choosing technologies and solutions that are proven to be stable, reliable, and well-understood. They argue that stability and reliability are critical for the smooth functioning of systems and minimizing disruptions. This also simplifies the creation of a threat model considerably; new types of attacks still need to be analyzed, but many security problems have already been solved by the community and do not require extensive analysis anymore.
  3. Consideration of Multiple Perspectives: Allspaw’s article emphasizes the importance of considering diverse viewpoints and insights when analyzing technical problems and designing solutions. Similarly, McKinley’s article indirectly supports this idea by advocating for a pragmatic approach that considers various factors, including stability, support, and business needs. It is my experience that the group of people needed to create a good threat model should include at least a person who understands the business (could be a product owner or a business analyst), an application architect, and a lead developer. There are also times when you will need stakeholders from the infrastructure team, legal team, and more.
  4. Holistic Understanding: Both authors suggest that a holistic understanding of technical challenges is essential for effective problem-solving. McKinley emphasizes the need to focus on solving actual problems rather than chasing the latest trends, while Allspaw highlights the value of integrating insights from different disciplines to gain a comprehensive understanding of complex systems. This element cannot be underestimated; there are many different security activities that can be performed when creating a secure product, all aimed at the same goal: creating a more resilient and secure product. I believe a good threat modeler has a deep understanding of all these activities. (Hint: OWASP SAMM) is an excellent resource for discovering these different security activities).

When I discussed this with our threat modeling group, they posed a very pertinent question: where would our customers find information on how to build such a resilient system? Again, I reached back in history to the excellent book by Ross Anderson, “Security Engineering”. There is a free version of the complete book. Although published in 2008, it is still relevant. In addition to the book, there are also 15 videos that explain several sections of the book.

Why look at a book from 2008? Well, it is still “correct”—the principles to secure products and systems have not changed much. This book covers the foundation and principles of creating a resilient system, and the techniques used have been proven and are time-tested. The resources are also available and accessible to everyone.

I will finish with a bold statement: I believe that by using these older resources, we are perfectly capable of creating a resilient and secure product that complies with the latest regulatory requirements and where the team can build high confidence in their product and its resilience. It is time to recycle these “old” ideas and perhaps not always necessary to come up with replacements for these ideas and techniques unless they show an actual improvement.

Advance your career with our in-company Threat Modeling Practitioner certification - tailored training options available!

Discover Training options

CURATED CONTENT

Handpicked for you

Toreon Blog: Threat Modeling Playbook - Part 4 Strengthen your threat model processes

Security Architecture Build Phase: Planning and building a defendable architecture

In a series of blogs, we unravel the complexities of executing a successful threat modeling strategy through our Threat Modeling Playbook. Part three focusses on how to strengthen your threat model processes.

Establishing the right processes is vital for increasing the maturity level of your threat model. This part of the playbook will guide you in setting up or updating these processes.

Read more

To stay in our theme of security architecture and its marriage made in heaven with threat modeling, this Telenor article elaborates on how this integration significantly reinforces cybersecurity measures. By embedding threat modeling into the architecture build phase, organizations can anticipate and mitigate risks more effectively. This proactive approach aligns security implementations with potential threats, enhancing the architecture’s ability to defend against both known and emerging vulnerabilities.

Read more

Google's Threat model for Post-Quantum Cryptography

This Google article discusses the urgency of encrypting our data with quantum-secure algorithms to prevent potential decryption by attackers within a decade. Learn how this store-now-decrypt-later attack is driving the adoption of post-quantum cryptography (PQC) and how it highlights the need for a strategic plan to transition from classical to PQC algorithms in the face of future quantum computing threats.

It’s the first piece in a series on PQC from the Bug Hunters blog, written by Google’s Cryptography team. They share their latest insights and reasons behind the PQC migration, starting with an exploration of their threat model.

Given the evolving landscape, their perspectives might shift over time, but this post offers a snapshot of their understanding as of early 2024.

Read more

Security Architecture Build Phase: Planning and building a defendable architecture

To stay in our theme of security architecture and its marriage made in heaven with threat modeling, this Telenor article elaborates on how this integration significantly reinforces cybersecurity measures. By embedding threat modeling into the architecture build phase, organizations can anticipate and mitigate risks more effectively. This proactive approach aligns security implementations with potential threats, enhancing the architecture’s ability to defend against both known and emerging vulnerabilities.

Read more

Google's Threat model for Post-Quantum Cryptography

This Google article discusses the urgency of encrypting our data with quantum-secure algorithms to prevent potential decryption by attackers within a decade. Learn how this store-now-decrypt-later attack is driving the adoption of post-quantum cryptography (PQC) and how it highlights the need for a strategic plan to transition from classical to PQC algorithms in the face of future quantum computing threats.

It’s the first piece in a series on PQC from the Bug Hunters blog, written by Google’s Cryptography team. They share their latest insights and reasons behind the PQC migration, starting with an exploration of their threat model.

Given the evolving landscape, their perspectives might shift over time, but this post offers a snapshot of their understanding as of early 2024.

Read more

TIPS & TRICKS

Book tip: Security Engineering — Third Edition

Security Engineering: A Guide to Building Dependable Distributed Systems
In Security Engineering: A Guide to Building Dependable Distributed Systems, Ross Anderson (who, unfortunately, passed away recently) – updates his classic textbook and teaches readers how to design, implement, and test systems to withstand both error and attack. This book became a best-seller in 2001 and helped establish the discipline of security engineering. By the second edition in 2008, underground dark markets had let the bad guys specialize and scale up; attacks were increasingly on users rather than on technology. The book repeated its success by showing how security engineers can focus on usability. Now the third edition brings it up to date for 2020. As people now go online from phones more than laptops, most servers are in the cloud, online advertising drives the Internet and social networks have taken over much human interaction, many patterns of crime and abuse are the same, but the methods have evolved.
Read more

ThreatModCon 2024 Lisbon is here!

Join us for the first-ever European edition of ThreatModCon on June 28-29! As an official partner event of OWASP, ThreatModCon 2024 Lisbon will take place right after OWASP Global AppSec Lisbon at a nearby venue. Get ready for enlightening talks and hands-on workshops led by industry experts like Adam Shostack, Nick Vinson, Isabel Barberá, Jonathan Marcil, and more.

📅 Date: June 28-29, 2024
📍 Location: Lisbon, Portugal
⚡ What to expect: Engaging workshops, insightful talks, curated networking events (hint: a sunset cruise!)

Don’t miss this hallmark event for the threat modeling community in Europe. Take advantage of the early bird rate before it expires on April 30th, 2024.

Learn more

Upcoming trainings & events

Book a seat in our upcoming trainings & events

Threat Modeling Practitioner training, hybrid online, hosted by DPI 

Cohort starting on 13 May 2024

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Troopers Germany, Heidelberg

Next training date:
24-25 June 2024

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat USA, Las Vegas 

Next training dates:
3-6 August 2024

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on 23 Sep 2024

Book your spot
Book your spot
Book your spot
Book your spot

Threat Modeling Practitioner training, hybrid online, hosted by DPI 

Cohort starting on 13 May 2024

Book your spot

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Troopers Germany, Heidelberg

Next training date:
24-25 June 2024

Book your spot

Agile Whiteboard Hacking a.k.a. Hands-on Threat Modeling, in-person, hosted by Black Hat USA, Las Vegas 

Next training dates:
3-6 August 2024

Book your spot

Threat Modeling Practitioner training, hybrid online, hosted by DPI

Cohort starting on 23 Sep 2024

Book your spot

Threat Modeling Insider Newsletter

Delivering the latest Threat Modeling articles and tips straight to your mailbox.

Sign up now

Start typing and press Enter to search

Shopping Cart