Welcome again to the Simone on Security blog. This new article follows a long series dedicated to Quality for Threat Models, and then to the description of how we could evolve the practice with something called Threat Modeling vNext.
We have seen that quality, in particular, is an important issue. All too frequently, Threat Models represent only a missed opportunity because the due care is not applied.
Sometimes the problem is related to the need to provide guidance. Of course, expert Threat Modelers are rare, which means that we need to focus on what is required to help the rest of us to make better Threat Models. The most typical approach to address this issue is to provide some expert system which would identify a list of problems, from a diagram.
Unfortunately, this does not work.
There are various reasons why, including:
- The expert system focuses only on a limited portion of the system at a time. As a result, the analysis misses most potential attacks, because they would be a result of the combination of multiple issues located in different places.
- The expert system generates a lot of findings, forcing the Threat Modeler to analyze them one by one diligently, which tends to become a tedious job pretty fast.
- The rules used by the expert system to generate the various findings are based on best practices that rarely apply to the specific scenario. As a result, the findings are less relevant than they should.
Still, Expert Systems provide an undeniable value for beginners and other categories requiring more guidance, but their effectiveness in improving the quality of Threat Models produced is limited at best.
We need something more, and that something must be about improving the number of experts able to create high-quality Threat Models. For this reason, I’ve decided to start a mini-series of five articles, the first one of them being the current one.
There are three primary skills to be acquired, to be proficient doing high-quality Threat Models:
- Good knowledge of common security risks and mitigations
- The ability to recognize threats to both the Infrastructure and Applications, and a good understanding of the various approaches to mitigate them by applying the best of both worlds (in other words, the application of a holistic approach)
- A critical mindset, never assuming
The next three articles will discuss each one of those skills, will provide examples and references that will hopefully allow you to understand better how to apply them. Finally, the last article will sum it up and will provide some additional considerations.
For now, stay safe and happy Threat Modeling!