Hi there, welcome to our second edition of the Threat Modeling Insider.
With our newsletter, we hope to provide valuable and curated content about threat modeling that will help you bootstrap or elevate your security knowledge and skills.
The line up of this “TMI” features:
- A guest article by Geoff Hill, Tutamantic
- Tip of the month: the OWASP threat modeling slack channel
- Toreon guide “threat modeling done right”
- Curated resources from Carnegie Mellon University and Microsoft
- Invitation to the Open Security Summit, featuring a threat modeling track
- Updates on upcoming Toreon trainings
How to supercharge your Threat Modeling
Guest article by Geoff Hill, Tutamantic
You’ve been here I’m sure… it’s a Monday afternoon and you have half a dozen security tasks all marked URGENT that you need to attend to. About then someone tells you about a project they are about to start coding.
You go into a panic because you haven’t heard about this project. You really want to do a threat model now so you can design security controls into the build pipeline, and not have to retrofit them as you have done so many times in the past.
The problem is that you are out of time and you know it. You estimate it will take a day of traditional threat modeling (which you don’t have) to discover the security threats (which you know will balloon in number) to get the security controls (which you won’t be able to build in).
The Rapid Threat Model Prototyping (RTMP) methodology is a new faster, more streamlined threat model process. It minifies many traditional threat modeling steps by using the Agile architecture framework and software prototyping concepts to provide an iterative system that follows the Pareto rule. Therefore, we can cover 80% of threat model outcomes with 20% of the effort of normal threat model analysis.
RTMP is designed to find access control issues the fastest, because Privilege Escalation is the most dangerous part of an attack kill chain. Poor access control (authorization) gives rise to Injection attacks, Information Disclosure attacks and loss of software or system control.
Here is a quick summary of the RTMP
- Start with a team’s context diagram if you can; it’s better than misinterpreted DFDs
- Annotate the diagram elements with “trust numbers”, which represent the security impact of those elements and which replace trust boundaries
- RTMP uses these trust numbers to calculate where to put STRIDE in the diagram
- Add an existing or aspirational mitigation for each STRIDE notation in the diagram
- Review the gaps (where no mitigation has been recorded) and update if possible
You can find out detailed steps for the RTMP (Creative Commons license) here.
Geoff Hill, Tutamantic
Toreon guide – threat modeling done right
We created a guide explaining the four steps of threat modeling.
We also share solutions to five common challenges when using threat modeling:
- Requires security expertise
- Difficult to integrate
- Hard to internalize and reproduce
- Tools are limited
Curated threat modeling content
Threat modeling resource page from Microsoft
“But Seba”, I hear you ask, “How can we ever hope to start applying threat modeling in our company? Surely this won’t scale, or work in our large, well-established corporation, or be applicable to our specific software product or environment? Surely management is never going to sign off on this?!”
Did you know that one of the most well-known early adopters of threat modeling was Microsoft? In 2002, they started a security push in which they systematically started applying threat modeling to many of their internal projects, and now consider it a core element of their Security Development Lifecycle (SDL). The microsoft resource page on threat modeling explains the five major threat modeling steps, and features the Microsoft Threat Modeling tool. Visit the Microsoft page on threat modeling here.
White paper: a summary of threat modeling methods
So which threat modeling approach should you try? In the end, there is no single correct answer; the important thing is to try out threat modeling for yourself to see how effective it can be! The OWASP Application Threat Modeling project says it best with their motto, “Threat modeling: the sooner the better, but never too late.”
For a good overview on what other threat modeling approaches are out there,
in 2018 researchers at the Software Engineering Institute (SEI) at Carnegie Mellon University, released a white paper that discusses twelve threat modeling methods from a variety of sources that target different parts of the development process. You can download the paper here.
Tip of the month
We aim to make this a community driven newsletter and welcome your input or feedback. If you have content or pointers for the next edition, please share them with us.