The goal of a threat model is to provide an objective, risk-based evaluation of security problems within your system’s architecture. The information gathered, is provided to the stakeholders so they can make a well-informed decision on how to mitigate threats and lower risks to an acceptable level.
Although this is the main focus of threat modeling, there are plenty of other reasons to utilize threat modeling 1:
- To get stakeholders to agree on a shared vision of your systems security
- To increase awareness and knowledge of your system with stakeholders
- To document your system design, document due diligence for certain legislative requirements such as privacy by design
- To serve as input for other processes such as testing the implementation, validating requirements, etc. For example: A penetration test will be much more efficient if testers can fall back on a threat model which explains what needs to be protected and lists your system’s requirements
- To spread knowledge on secure architecture in your organization. Lessons learned from a threat model can be useful in future designs of other systems
Implementing and maturing the threat model process within an organization is hard. This playbook 2will guide you through the process and will help you reach the level of maturity in threat modeling that you want to achieve within your organization.
This threat modeling playbook assumes you are creating or integrating software, hardware, or combining both using an agile methodology. We will measure the maturity level of the threat modeling practice based on three topics: people, processes, and tools or technology.
If your organization is not using agile development methodologies, or this process is new and not yet optimized, this guide can still be used. Chapters 2.2, 4.4 and 4.6 will need some evaluation concerning tools and processes when development methodologies are not in place. Nevertheless, threat modeling is being done in many organizations that do not use agile development methodologies.
To measure your maturity concerning the threat modeling process, several methodologies and frameworks are available. We are heavily influenced by the OWASP SAMM 3 project and will measure maturity at three levels.
There are several strategies for using this playbook. The choice between strategies depends on the number of systems and the level of “thoroughness” needed for those threat models.
There are several strategies you can use:
- Start with one system and get to a very mature state of your threat modeling practice with a very mature threat model. After reaching the desired level of maturity, proceed to the next system.
- Start with multiple systems in parallel. While you are maturing your threat modeling practice, come back to each threat model and improve it.
- A combination of the above. Start with the top 10% of your (most important) applications in parallel if your organization has a large number of systems.
For each existing system, you also need to decide a strategy:
-
Perform threat modeling of the complete system as it exists today. The rationale: this system is important, and the goal is to reduce the associated risks as much as possible.
-
Perform threat modeling on the changes being made on the system. The rationale: this system has been in use for a long time. If any major security problems existed, they would have been exploited by now so we can limit ourselves to new functionalities.
-
Perform threat modeling on the most important use case(s) of the system. The rationale: Creating a full-blown threat model takes too much time and effort to be economically viable. Nevertheless, we do still want to address the most important risks, which will generally be linked to the most important use cases. When in doubt, think about which use cases bring the most value and conversely which "doomsday scenarios" risk losing the most value. For some businesses this can be measured in money, while in others, reputational damage or physical harm can play a role.
This threat model playbook contains several elements from which you can design your ‘playbook’ as you would in American football. Each subchapter can be considered a ‘play’ that you can use in a ‘playbook’ which is customized to your organization or situation. You should play for 'maximum forward progress' towards your end goal.
| Main page | Next page >> |
|---|