I’m curious: What’s your preferred goal of threat modeling?
(1) Reveal complete: We want a complete threat ⇆ mitigation mapping for our scope.
(2) Find news: We focus our analysis on what we don’t know yet.
I’ve had several threat modeling sessions started with quite a lot of security considerations done upfront. How do you incorporate that (or not)?
Hendrik
My approach falls into your ‘reveal complete’ category. In my experience (for a system that hasn’t been TM’d before) any existing capture of security information isn’t standardised, so capturing it in a standard way helps to add structure (which helps to detect if things are missing), and it makes it easier for others to review, learn from and copy. My approach actively encourages capturing existing controls, which then became a great list of things for security testers to actually look at to confirm those controls work as expected!
Well, my approach is also with reveal completely. A capture of current state with existing control sets and what controls exists that is not implemented is a great start to directly add value to the whole of exercise. It also give some realistic insights on real threats.
I also prefer “reveal complete” because security consideration may have flaws and could reveal more threats as well e.g. MFA considered but not the strongest one or WAF considered but nothing about how strict the configuration would be or who has access to WAF etc.
Therefore, going with the assumption that Threats are always present, even if upfront security considerations are made and including them in current scope gives me a complete view, it also covers from what if the control is not implemented or failed or have become less effective at a later stage.