Welcome to the latest installment in the Threat Modeling vNext series!
One month ago, we started introducing the next evolution of Threat Modeling by example. In fact, we have presented four different personas, to illustrate four different ways of interacting with Threat Models: Judith, the beginner Threat Modeler, Lucy, the expert, Elliot, the Product Owner, and finally George, the Business Decision-Maker. Their needs are so different, one could even think that some of them would not be able to benefit from being exposed to a Threat Model.
As we have demonstrated with the previous articles, nothing would be less accurate. In fact, the various roles would interact with Threat Models in different ways, but each one of them would still get a lot of value out of it:
- Judith, our beginner Threat Modeler, would receive the guidance and support required to produce quality Threat Models even if she does have only limited knowledge about the process and the specific technologies adopted by the inspected solution;
- Lucy, the expert, would increase her efficiency and effectiveness, thanks to the adoption of advanced tools to automate some of the most common tasks;
- Elliot would be able to consume the Threat Model and extract the information required to insert findings and mitigations identified and collected by Judith and Lucy within the Threat Model, into the Backlog managed by his Tracking tool of choice.
- And finally, George would be able to understand and manage the risk represented by the applications he owns and to more clearly grasp the impact of the proposed mitigations. As a result, George would be able to better understand the benefits and implications of a roadmap designed to address the identified security risks.
Now, the question of the day is: would it be best to get multiple specialized tools, each one of them providing the exact value each role needs, or would instead be better to have a single tool, giving to all the same average experience?
This question looks a lot like asking, “is it better a day as a lion or 100 days as a sheep?”. A famous Italian comic actor named Massimo Troisi, who unfortunately is not among us anymore, answered that question: “what do I know about sheep and lions? Let’s do 50 days as a teddy bear!”
Troisi was right: it would be a mistake to have many specialized tools because you cannot really cover all the needs. The four roles we have introduced are merely examples, so much that if you think a little about that, you would be able to identify at least the other 4 roles which would benefit from slightly different functionalities. It would also be a mistake to search for a single set of features to cover all the requirements because it would necessarily provide a sub-optimal experience to all.
So, what should we do? The correct answer is to adopt a single tool, which could provide a customizable experience to each role by integrating different functionalities, which could be balanced to provide the best experience to each one of them. This would allow it to offer different views over the same truth to each different role.
Let’s suppose, for example, that our Judith requires three different functionalities: a design panel to create the diagram, a threat generation engine, and also a simple reporting component. Our expert, Lucy, would still need the design panel but would not require a threat generation engine; instead, she would want a tool to scan exiting solutions and an advanced reporting functionality. Elliot could entirely forfeit the diagram functionality, but he would definitely need to define a Roadmap and synchronize Threats and Mitigations with the Backlog in the chosen Tracking tool. Finally, George would need a simple dashboard to get information about the risks and the benefits expected from the implementation of the Roadmap.
Even if some users would need similar tools, each one of those should be adapted to the needs imposed by its role: for example, the design panel used by Judith would not be exactly the same required by Lucy. Just consider that it is only reasonable to expect completely different levels of complexity for Threat Models produced by beginners and by experts: of course, they are going to need different approaches. But still, this is more about providing different specialized views as part of the same tool, than providing specialized tools altogether.
How could you achieve this flexibility? If you have the patience to wait, next week you’ll be able to read about some ideas.
Meanwhile, stay safe and enjoy Threat Modeling!