Hi there, welcome to our Christmas edition of Threat Modeling Insider.
With this newsletter, we deliver guest articles, white papers, curated articles and tips on threat modeling that help you bootstrap or elevate your security knowledge and skills.
Our “TMI” line-up:
- A guest article by Chris Romeo covering “Threat modeling: better caught than taught”
- Curated resources covering NO DIRT: a threat modeling approach for digital healthcare, and the Tactical Threat Modeling paper from SAFECode
- Toreon article: “Threat modeling in 4 steps“
- Tip of the month: the OWASP risk rating calculator
- Updates on upcoming Toreon training sessions.
Threat modeling: better caught than taught
Guest article by Chris Romeo, CEO and co-founder of Security Journey
Everyone wants their engineering staff to be better at threat modeling. Security teams desire a world where developers practice a threat modeling mindset. A security mindset where threat modeling is no longer a process or a tool but is instead a way of life. When developers embrace this mindset, they see threats jump off the page in both diagrams and code. They hear peers discussing a potential solution, and they can articulate the security challenges that such an approach will cause.
There are different approaches that security teams try when beginning threat modeling. One method is for a central security team to perform all the threat modeling. The challenge with this approach is scalability; as soon as you grow beyond a single pizza’s worth of developers, you need a large security team to keep up.
Another approach is to solve threat modeling with tools. Regardless of the tool, developers will struggle using the tool without the knowledge for successful deployment. Tools are great but come later in the maturity of threat modeling.
The best methodology for threat modeling at scale is the “caught not taught” method. With “caught not taught,” the premise is that the only way to truly grasp threat modeling is by performing threat modeling. Instead of spending hours lecturing on STRIDE versus PASTA, take a small group of developers into a room, and ask one of them to draw a picture on the board of the current feature they are building. Begin to ask leading questions about the things you see jump off the picture. Teach them how to threat model by performing threat modeling.
For threat modeling to grow, you must magnify your efforts. Spend time with that small group of developers until they reach the early stages of the threat modeling mindset, and then ask them to replicate the idea with groups of their own. In no time, you’ll have an entire organization embracing a security mindset through threat modeling.
PS: also check out Application Security Podcast from Chris.
Curated threat modeling content
NO DIRT: Threat Modeling for digital healthcare and beyond
Tactical Threat Modeling – SAFECode paper
Threat modeling in 4 steps
Tip of the month: OWASP Risk Rating Calculator
One of our challenges is risk rating vulnerabilities when we threat model. The online OWASP Risk Rating Calculator can help you out with that. It is based on OWASP’s Risk Rating Methodology.
We aim to make this a community driven newsletter and welcome your input or feedback.
If you have content or pointers for the next edition, please share them with us.