What’s an alternative to threat modeling? If there was no TM, what the world would have been?

General
1

While having a conversation with one of my friend who has done threat modeling for 10 years now, we brainstormed about why is Threat modeling there and what would have happened if there was no concept of Threat Modeling existent. What a better place to open up this for disucssion. What do you think, what’s an alternative to threat modeling? If there was no TM, what the world would have been?

2

Hi Amit @dragon44 !

The alternative to Threat Modeling is Threat Modeling and not knowing you do it. :wink:

Funny story:
Got a call lately. “I know, we do threat model every story. Do I have to threat model this particular story?”
Read the story.
It was 100% a mitigation.
They just hadn’t seen it in the threat / mitigation framing.

I believe a lot of people threat model intuitively.

With threat modeling done actively, explicitly, structured, conscious, we can do better!

Hendrik

2 Likes
3

I agree with Hendrik. Threat Modeling has always been around!

Recently a group of us was teaching kids how to threat model at DEF CON. We provided a simple scenario: a picnic in the park, or a day at the beach, etc. The kids seemed to intuitively understand the concept to mean identifying problems that could ruin their day. Shark attacks, tornados, missing sunscreen, cars breaking down, it was all there!

They key is that our experiences and shared knowledge greatly improve the quality and applicability of threat modeling. It does’t matter if the kids learned about the dangers of sharks from a book, or about needing sunscreen from a parent, the knowledge was shared and they could apply it. They were able to imagine and mitigate a danger that they did not have to experience first hand.

The alternative is that without more formal threat modeling, we have less opportunity to mitigate and imagine dangers until we experience them first hand, one by one, industry by industry.

2 Likes
4

Great story! :shark: :shark: :shark:
Sharks? :shark: Tornados? :tornado: Is Sharknado a security education movie? :smiley:
Shark attack can probably benefit from likelihood assessment. :wink:

One thing I have observed is that threat modelers have a tendency to pick the first mitigation that comes to mind. I think that is probably also the quality you can achieve without formal threat modeling. Here’s happy news in threat modeling: Talk is cheap! :partying_face: We can discuss different ways to mitigate threats, then make better choices! But only if we look closely. :eyes:

3 Likes
5

One can imagine a theoretical world where all systems are designed for security in a way which makes threat modelling redundant. In fact, one could even argue that if all engineering decisions were ideal, then one would not need to care about threat modelling. Of course, it’s almost as imagining a world in which there are no malicious intentions.

1 Like
6

Thanks for the inspiration @AppSecSeanner - today I updated my TM training to start with a short trip to the beach. :stuck_out_tongue_winking_eye: Can’t wait to test it…

Fulfills Chris Romeo’s rule (not allowed to talk about threat modeling for more than 30 minutes until people have to threat model) with 29 minutes and 40 seconds left. :stuck_out_tongue_winking_eye:

1 Like
7

Depends how you delimit secure design from threat modeling… :thinking:
I define secure as protected from danger. (:cloud_with_lightning_and_rain:?:open_umbrella:?) My definition of threat modeling is quite broad…

1 Like
8

Another option is security was consider another quality requirement like performance, user experience, etc in architecture practices. You not need a specific and separate of activity of threat modeling if was widely perceived this ways.

1 Like
9

True: An experienced team can certainly refine awesome + secure stories! :muscle: :closed_lock_with_key:

How did they come up with such clever secure design / requirements? I would distinguish two styles:

  1. Threat-first: They threat modeled in one way or the other, perhaps implicitly. (:cloud_with_lightning_and_rain:?:open_umbrella:?)
  2. Mitigation-first: They got inspired by best practices, requirement catalogues, secure design principles, compliance, things everyone else is doing, … :open_umbrella:! (:cloud_with_lightning_and_rain:?)

Maybe mitigation-first can also be considered threat modeling, with the popular 4 question framework:

  1. What are we working on?
  2. What shiny security features can we add?
  3. Do we really need them?
  4. Did we miss something / do a good job?

:stuck_out_tongue_winking_eye:

Everything that works…

1 Like