Know Your Enemy, and Yourself: Demystifying Threat Modeling


Meera Subbarao

Software security risk management is a common concern across major organizations in the world. Most of these organizations implement some sort of software security program that includes activities such as penetration testing and vulnerability remediation, which typically occur late in the development cycle. Threat modeling allows us to design security into our software and therefore resolve security issues early, when they are relatively easy and cost-effective to address.

Security professionals have been presenting and publishing information on threat modeling for decades. Yet, many managers avoid discussing threat modeling because they perceive it as:

  1. Too tough to produce actionable results
  2. Too overbearing on resources
  3. Demanding too much documentation
  4. Too costly to both produce an initial threat model from a clean slate and to maintain it

During this talk, we will attempt to bust these myths and demonstrate how organizations can incrementally obtain better results over time while making threat modeling “seem easy.” Threat modeling is in many ways one of the foundational practices of information security. Without an understanding of a system and the threats it may face, no useful protections can be defined.

A good threat model defines and constrains security objectives, so you can better assert “due care” in protecting digital assets. It also helps define the necessary security features and controls required by the system. And it drives and focuses important security processes within the development lifecycle, such as security testing, and code analysis.

Organizations benefit from threat modeling because it

· helps prioritize the type of attacks to address and helps select controls to mitigate risk · augments other assessments by adding additional attack vectors and identifying new types of vulnerabilities · identifies coveted “business logic flaws” and other critical issues that tool-centered approaches commonly miss Threat modeling promotes thinking like an attacker and enables us to build software with security in mind, rather than addressing security as an afterthought. Despite the special relationship it has with secure architecture, threat modeling is also very useful as an input to activities that occur at other stages of the development lifecycle including secure requirements identification, security test planning, security code reviewing, and penetration testing. Threat modeling informs these activities and offers invaluable insight into the methods attackers could use to harm the system.