Written by Sebastien Deleersnyder

Welcome

Hi there, welcome to our monthly edition of the Threat Modeling Insider. We hope you had a great summer! With this newsletter, we deliver guest articles, white papers, curated articles and tips on threat modeling that will help you bootstrap or elevate your security knowledge and skills.

This months “TMI” line-up features:

A guest article by Steven Wierckx, OWASP: “The OWASP Threat Model project”
Curated resources covering Jim DelGrosso teaching threat modeling and Dinis Cruz sharing his threat modeling templates
Toreon article: “The perfect threat model party guest list“
Tip of the month: Application Security Podcast, with episodes on threat modeling
Updates on upcoming Toreon training sessions

The OWASP Threat Model project

Guest article by Steven Wierckx, Application Security Consultant at Toreon

Together with Avi Douglen, I head the OWASP threat model project. As OWASP project leaders for this project we focus on community building and moderation of content creation. We aim for the OWASP community to provide content as is normal for open source projects. The Threat Model project aims to be a hub of knowledge for anything threat model related. This means we classify this as a documentation project. There are other projects within OWASP that handle different threat model tools. In order to guide all (potential) contributors I want to re-iterate our principles we follow:

We are vendor, methodology and tool independent: we strive to have examples in as many methodologies and/or tools as possible.
Open discussion is promoted: all topics are open for discussion with just one rule: don’t be a dick. If you feel information is lacking or missing, let us know via the OWASP Threat Model slack channel.
We come to an agreement: we discuss things mainly in google docs and on slack, if the project leaders feel a consensus is made, we will publish the content to our main website. This is of course the project page on the OWASP wiki (see previous link). At the moment the content is not present simply because we did not have the time and resources to put all the content on there. Once the next version of the OWASP wiki becomes a reality any person that wants to create some content or make a change will be able to follow normal git procedures. This part of the project is depending on the OWASP organization that is in the process of changing the wiki to a git repository. Some information has been provided to other projects where it has been published, there is information on threat modeling in the SAMM project and the cheat sheet project is working with us to publish our cheat sheet series for threat modeling.

The community already came up with a lot of good information such as our credo: ‘Threat modeling, the sooner the better, never too late’.

What is the biggest achievement of our project?

Without a doubt, the Slack channel. This channel has over 800 members at the time of writing this article. This is a very (inter)active group of people that answer every threat model related question that is posted in the channel. The level of expertise in this channel ranges from absolute beginners to professional threat modelers, trainers and authors (of threat model books). Getting access to this channel is as simple as following this link: https://owasp.slack.com/messages/C1CS3C6AF (If you are not yet a member of the OWASP Slack workspace, you will first have to use this invitation link).

What is the biggest challenge of our project?

Without a doubt we have failed at persisting the knowledge we have shared so far. This means we did not yet find a way to document in a clear way all the information from the slack channel nor from the sessions on the open security summit where a lot of content was also created. Both Avi and I are fully aware that this should be our top priority. The root cause of the problem here is that there is so much information and knowledge that it is very hard to start building a useful set of documents. We have tackled this partially during the last summit by launching a number of (sub)projects such as the threat model examples project. This will be led by Jonathan Marcil and Tash Norris. Some other initiatives are in the making as well. We hope by breaking this project up in different sub projects we can find/build a group of motivated people to achieve the goal of documenting all the threat model knowledge out there. This works in a very simple way, each project creates documentation on a specific category and the Threat Model project groups all the information by being a kind of search engine over all the other projects.

Call to action

The threat model project is always on the lookout for people who want to contribute either knowledge or time. If you want to contribute knowledge, please go to the Slack channel and participate in the conversations. If you have some time, contact me and I will help you figure out what knowledge you can/want to record and help you set up a sub project for this. If you have time but do not want to start a project, let me know which of the projects you want to help out and I will bring you into contact with the respective leaders. We will all appreciate your help and if we meet I will buy you a beer, whisky, soda or whatever drink you prefer 🙂

Steven Wierckx, Application Security Consultant at Toreon

Curated threat modeling content

OWASP project: Automated Threat Handbook

Jim DelGrosso teaching threat modeling at SecAppDev

In this talk Jim covers how threat modeling is done at Cigital (now part of Synopsys). The threat model process is very similar to other threat model methodologies, but Jim puts a more emphasis on creating a threat matrix as a result of the threat model exercise. Jim uses diagrams that are different from the traditional DFD diagrams. He does a great job showing that the diagrams are there to support finding threats. The notion that some controls might be weak (meaning there might be a residual risk) is important and Jim shows how this can be handled in a threat matrix. Watch on .

Threat modeling blogs and resources shared by Dinis Cruz

When searching on Dinis’ blog for the label ‘threat modeling’ you’ll find some great and simple starter templates you can use to create a threat model. They can be ideal to introduce non-security experts to threat modeling. The templates are created with draw.io so it’s easy to share without requiring everyone to install Visio.

The perfect threat model party guest list

Toreon article by Thomas Heyman, Application Security Consultant at Toreon

Threat modeling is a proven technique to reduce security risks in a cost effective way. One of its strengths is that it brings together various stakeholders involved in the security of an IT system or project and ensures that they are aligned. That is, threat modeling helps this group of people to share a common understanding of the business value of the system or project. At the same time, it also helps those people share a view on the main threats and what mitigations can be put in place to address them.

But who are those stakeholders? Involve too few, and the threat modeling exercise loses its main benefit as it does not create a shared understanding of business value and threats. Involve too many, and the exercise runs the risk of devolving into a costly set of meetings.
… (continue online)

Tip of the month: Application Security Podcast

In the Application Security Podcast Chris and Robert discuss application security, cool OWASP happenings, and interview people in the application security world and decompose what makes them successful. There are some cool episodes on threat modeling with Adam Shostack and Izar Tarandach.

Discover the appsec podcast

Upcoming public Toreon trainings

Want to learn more about Threat Modeling training? Contact us, so we can organize one in your neck of the woods.

We aim to make this a community driven newsletter and welcome your input or feedback.
If you have content or pointers for the next edition, please share them with us.

Kind regards,
Sebastien Deleersnyder
CEO, Toreon