That was another Insightful TMC meetup! A big thank you to everyone who joined us! We delved into the world of “Meta Threat Modeling”, using threat modeling techniques to threat model our threat modeling efforts (there’s never too many threat models ).
Special thanks to our speaker @hewerlin for sharing your meta threat modeling framework with us and a huge shoutout to our facilitators, @MilaGerova, @dragon44, @MariiaTiurina, @LilithPendzich, @jrabe3, @laurafrenz for guiding the conversation and ensuring a smooth and engaging session. Your leadership made all the difference!
The Threat Modeling Connect August 2024 Community Meetup was “Meta Threat Modeling” by Hendrik Ewerlin (@hewerlin) , and covered how we can reuse the approach for how we threat model systems in order to analyze and improve the threat modeling process itself. Half of that session was dedicated to a breakout room activity where event participants got to share the things that can go wrong with threat modeling and what we can do about it. There were 7 breakout rooms during the event and this post is going to give a summary of the ideas shared in those breakout rooms.
At the highest level we can group the themes/challenges identified into the following categories, and the count of the number of different themes/challenges identified across all breakout rooms:
Theme/Challenge Category
Count
Techniques and Tools (for creating the threat model itself)
21
Management (of threat modeling as a business activity)
22
As you can see there is a very nearly equal number of issues identified in each category.
We can then break this down into more specific themes/challenges (some interpretation was required in order to aggregate the ideas across breakout rooms because no one person was present in all breakout rooms).
Category
Theme/Challenge
Count
Techniques and Tools
Getting good input/information to create a threat model from
6
Modeling the system at the right level of abstraction and detail
6
Ensuring participants are the right people for the process
4
Ensuring the threats and mitigations are appropriate
3
Leveraging tooling so it delivers value
2
Management
Management and team buy-in for threat modeling to be done
7
Appropriate and effective integration with the businesses SDLC
5
Security team capacity and delivering threat modeling resources for the business
4
Executing threat modeling to deliver value
3
Managing the lifecycle of identified mitigations through to implementation
3
It probably comes as little surprise that the most identified challenge for threat modeling is getting buy-in from management, but all of these will be familiar to anyone who has been threat modeling for a while or has operated a threat modeling program of work.
In terms of what we can do about these challenges, the suggestions were many and varied and don’t lend themselves to be aggregated into common approaches. A curated/opinionated subset of the solutions are presented below, but feel free to reply to this post with any suggestions you want to share.
Category
Theme/Challenge
Subset of suggested approaches
Techniques and Tools
Getting good input/information to create a threat model from
Work with system owners to:
Identify the right people to involve
Locate or create documentation
Use an iterative process to gather information
Modeling the system at the right level of abstraction and detail
Prioritize threat types and focus on those first
Keep the model as simple as possible, while also offering value
Standardize definitions and use templates
Ensuring participants are the right people for the process
Training for teams to help them identify best people to create the threat model
Ensuring the threats and mitigations are appropriate
Practical mitigations over perfect mitigations
Use standards for guidance e.g. OWASP Top Ten
Give broad visibility to mitigations to get consensus
Leveraging tooling so it delivers value
Incorporate a manual review of output from automation
Management
Management and team buy-in for threat modeling to be done
Use pen-testing or vuln reports to highlight potential value of threat modeling
Create an example threat model, and deliver mitigations
Ensure threat modeling is treated as an SDLC activity, incorporated into existing processes
Align stakeholder expectations and address concerns
Appropriate and effective integration with the businesses SDLC
Push for threat modeling as an early SDLC activity, but be flexible with team priorities
Update threat models as systems change in ways that might affect security
Security team capacity and delivering threat modeling resources for the business
Take a risk based approach (aligned with business risk)
Use tooling
Executing threat modeling to deliver value
Drive consistency across all threat models using:
Standard definitions
Templates
Training
Managing the lifecycle of identified mitigations through to implementation
Create work tickets in team backlogs with SLAs
Testing to verify implementation
There is some solace to be had that as a community we share a common set of challenges for threat modeling, and it’s encouraging to see us share a broad array of approaches to meet those challenges, which ultimately is the only way we are going to progress the art and execution of threat modeling, as a community of practitioners that support each other.
Awesome, @Dave, thanks for clustering and distilling commons across the sessions! I found the results were really remarkable, especially when we keep in mind that these are the results of 22 minutes from 7 teams. Thanks for creating this aggregated view! It’s great to see the recurring patterns.
You have the two top-level clusters “Techniques and Tools” and “Management” and in the “Management” cluster, one popular theme is “Management and team buy-in for threat modeling to be done”.
I think this one shows how the two things are related:
In my opinion, fans of threat modeling need to make a believable promise that threat modeling will be
effective (“secure the system!”)
efficient
satisfying
… And then deliver the promise.
This shows the importance to debug the threat modeling process and solve it’s blockers, inefficiencies and frustrations… through retro (→ “Did we do a good (enough) job?”) or - at best - before they occur (→ “When we threat model… what can go wrong?” → Meta Threat Modeling).
A big thank you to everyone who joined us! We delved into the world of “Meta Threat Modeling”, using threat modeling techniques to threat model our threat modeling efforts (there’s never too many threat models 
).
