Original post by @brookshoenfield
I inherited a programme where the past administration had mandated that “every change be threat modelled”. Further, when asked by development teams how to threat model, that administration told developers explicitly that threat modelling was strictly the province of security architects working in product security architecture. Too sensitive for mere developers. (true story!)
In my very humbled experience, mandates never work. At least in software security, I’ve never seen mandates work all by themselves as the “solution”. The mandate is just the starting point or the fallback.
If my only tool to gain developer execution is the mandate, I believe that I have completely failed.
Forcing people to do things via fear and punishment does not foster creativity and innovation (supposedly, what we are trying to do with our software). Mandates alone just make people figure out ways around the mandate. Not what I want. Mandates may make those who issue them feel effective? but human systems do not work that way. And particularly, delivery that counts upon craft and analysis (i.e., programming) is particularly resistant to command and control techniques.
I’m not saying we shouldn’t have policy and constraints, that we shouldn’t specifically call out what must be done. That’s what the Security Development Lifecycle (SDL) is for. It’s just that this is just one part of a whole - and must not be mistaken for ‘the programme”.
In the role I mention above, I had to dig myself out of the hole that my predecessors left me in. I had to regain developer confidence and partnership, which took a lot of doing, proving, and a whole lot of travel (usually in coach. ugh). I didn’t appreciate that hole, I can tell you.
Mandate that threat modelling is a critical and required part of software security (the SDL). That said, make it real: not every change affects the model. Many changes have little to zero security implications. Smart engineers understand this.
At the same time, make clear what sorts of changes will require review of the existing model. Review is a lot quicker and more discreet that building a brand new model. If there’s already a model, why rebuild it? threat models are living documents. (My last 2 books and many of my public presentations describe what those threat modelling triggers are, probably in far too much detail.)
One of my techniques is to be the expert in the sorts of things that will build appropriate, robust software security. At the same time, how we collectively do those is nearly always a matter for those who do the work, not me sitting in my high tower of supposed (perceived?) authority. There are many effective ways to threat model. Like @adamshostack noted above: I don’t care how folks do it, as long as they do it, and get better through whatever process works for them. Remembering that nothing is perfect in security. Certainly not me.
There’s an old dictum: “those who work decide”. I do my best (in my limited capacity as a human being) to follow that bit of advice.