Hi there.

Welcome to the October edition of Threat Modeling Insider.

For this version, we have, as usual, picked and created the finest Threat Modeling contents of the month. Next month, we hope to share more about the new threat modeling community we are co-founding. Stay tuned!

But, for now, our TMI line-up looks as follows:

• The Role of Tooling in Threat Modeling, by our guest blogger, Zoe Braiterman
• Curated Content. “The Hybrid Approach to Threat Modeling”, a blog post by Chris Romeo, co-founder of Security Journey.
• Curated content: How we’re creating a threat model framework that works for GitLab, a blog post by Mark Loveless, Security Engineer at GitLab.
• “Threat Modeling Soft Skills”, a session with Sebastien Deleersnyder.
• Toreon Tip: Creating Security Decision Trees with Graphviz, by Kelly Shortridge.

Happy reading!

Seba, Steven, Thomas

In this blog post, Zoe Braiterman tells us more about TM tooling and how tooling can help to facilitate processes and discussions by automation and scaling.

The Role of Tooling in Threat Modeling

The practical value of threat modeling is about “People and collaboration over processes, methodologies, and tools”, as stated in the Threat Modeling Manifesto and various discussions amongst practitioners.  However, tooling certainly plays a role in the productive threat modeling.

Some useful features of software used for threat modeling

Threat Modeling as Code

This category of tooling includes pytm, an OWASP project led by Izar Tarandach.

Pytm is a Pythonic framework that achieves the following to facilitate threat modeling:

• Enable developers with the  to easily generate data flow diagrams or sequence diagrams, using dot or PlantUML
• Allow security experts to supply threats to the system, based on vulnerabilities
• Generate a report that includes diagrams and findings

More on automated reporting

Potential threats that may impact a system are not limited to security threats. They also include privacy and compliance related threats.

Adaptive tooling empowers users with automated reporting of these various types of threats to enable users to properly understand and mitigate the risks that face the systems within their organizations.

For example, Irius Risk, allow users to create reports, including compliance reports, among the analytics and reporting features the product includes.

What this means for you

Some considerations in making decisions your team / organization may include the following.

• The users of the threat modeling software:  Developers? Security professionals? Product managers? Consider the goals and level of technical expertise of each user persona.
• The desired types of outputs:  What types of visual representations, reporting, analytics and integration will be useful for your case?
• The ongoing discussion and cross-functional collaboration it facilitates: What type of meaningful discussion is the tooling, and its outputs, to facilitate?

Conclusion

Threat modeling is an iterative process, consisting of multiple activities and involving multiple stakeholders.

Tooling can help to facilitate such processes and discussion, making them automated and scalable.

“The Hybrid Approach to Threat Modeling”, a blog post by Chris Romeo, co-founder of Security Journey.

“How we’re creating a threat model framework that works for GitLab”, a blog post by Mark Loveless, Security Engineer at GitLab.

On October 10th, we did a tl;dr sec community special training “Threat Modeling Soft Skills”.

Have a look at the full recording and learn more about the crucial soft skills that are necessary to turn an average TM meeting into an exciting workshop.

Also, do not miss our full Threat Modeling Practitioner training, covering 20 hours of self-paced training and in-person live labs. Afterwards you have one year access to the full training and workshop recordings and all our threat modeling resources. The next training cohort starts on the 28th of November 2022.

In this post, Kelly Shortridge walks us through the creation of an example decision tree using Graphviz and a .DOT file.

We aim to make this a community-driven newsletter and welcome your input or feedback. If you have content or pointers for the next edition, please share them with us.

Kind regards,
Sebastien Deleersnyder
CTO, Toreon