Hi there, we’re glad you are reading our first edition of the Threat Modeling Insider. With this newsletter, we promise you’ll receive valuable and curated content about threat modeling that will help you bootstrap or elevate your security knowledge and skills.
This first edition of “TMI” features:
- A guest article by Adam Shostack
- Our threat modeling tip of the month
- A free threat modeling guide
- Curated articles from Bruce Schneier and Avi Douglen
- Updates on upcoming Toreon trainings
STRIDE’s 20th anniversary
Guest article by Adam Shostack
We’re at an exciting inflection point for threat modeling. Next month marks the 20th anniversary of the STRIDE model of threats. STRIDE was the first technique that guided threat analysis. (Attack trees, which are earlier, help to structure it, but don’t provide guidance.)
We’ve seen threat modeling evolve from an expert-only activity, acquired by apprenticeship and driven by exhortations like “think like an attacker” to become a discipline non-experts can apply.
We have ways to discuss threat models (attacker-centric vs software-centric). We have a Cambrian explosion of tool concepts: Microsoft’s Threat Modeling Tool, an IDE for threat modeling; Tutamen’s microservices; Continuum’s enterprise IriusRisk; PyTM’s threat models in the code; my own Elevation of Privilege card deck, with privacy variants and Alexa skills, and more, too numerous to name.
We have frameworks that allow us to compare methods and evolve them.
We have threat modeling tracks at conferences like the Open Security Summit, a discipline that didn’t exist 20 years ago. We have active communities at OWASP, I Am The Cavalry and elsewhere. We have people whose job title includes the words “threat modeling.”
We have government regulators who want to see security to be systematic, structured and comprehensive, and I don’t know how to do that without threat modeling.
When I wrote my book, I was able to survey almost everything written on the subject. That chapter ended up, appropriately, on the cutting room floor. (It didn’t deliver enough to the general reader.) It was a manageable task because there just wasn’t that much. Today, when I teach, my students bring me new approaches, new technique and new tools. They bring threat modeling to new domains, new technologies and they solve problems.
Today, Toreon sees enough interest and activity to set up a monthly newsletter.
It’s an exciting time, and we ain’t seen nothing yet.
Free Toreon Whiteboard Hacking survival guide
- Identify what you are building with data flow diagrams
- Discover threats with STRIDE
- Recommend standard mitigations
- Calculate risks of discovered design vulnerabilities
Direct download HERE.
Curated threat modeling content
Attack trees article, by Bruce Schneier
Value driven threat modeling video, by Avi Douglen
Tip of the month
- Download and install draw.io for your operating system of choice
- Clone or download the Github repository
- Open draw.io application and create a new blank diagram
- Click the File menu and then click Open Library…
- Navigate to where you put the Github repository and open one of the XML files
Want to learn more about Threat Modeling training? Contact us, so we can organize one in your neck of the woods.
We aim to make this a community driven newsletter and welcome your input or feedback.
If you have content or pointers for the next edition, please share them with us.