Understanding Threat Modeling
The Threat Modeling Manifesto defines threat modeling as “analyzing system representations to highlight security and privacy characteristics concerns.”
The practice of threat modeling goes beyond mere technical analysis. It involves analyzing representations of a system to uncover concerns related to security and privacy attributes. So, what exactly does representation mean in this context, and why does it matter?
The Essence of Representation in Threat Modeling
A representation is more than just a diagram; it's a conceptual framework. It's the lens through which threat modelers glimpse the soul of what they're modeling. Drawing substantial security or privacy conclusions becomes an uphill battle without a well-constructed representation.
Forms of Representation
Data Flow Diagram
This diagram simplifies the complex flowcharting process, instead utilizing a limited set of elements, encompassing process, data flow, data store, external entity, and trust boundary.
A conceptual diagram that illustrates how an asset might be attacked. It's like a roadmap to the vulnerabilities of your system.
Swim Lane Diagram
This type of diagram visually differentiates responsibilities within the sub-processes of a business operation, like lanes in a swimming pool.
It's not quite code but a plain language description of coding steps. Think of it as a rough sketch before the masterpiece.
The Napkin Approach
Sometimes, complexity can be scribbled on a napkin during a casual lunch meeting. Simplicity has its elegance, too.
The Functionality of Representations
While representations can manifest in various forms, they serve a unified purpose: to assist the threat modeling team in uncovering the best possible threats and solutions. They're like the keys to the kingdom of understanding your system.
Popular Preferences in the Industry
A recent LinkedIn poll and insights from industry leaders like Avi Douglen and Izar Tarandach reveal the preference for data flow diagrams. But there's no one-size-fits-all. Swim lanes and Python code have their champions, too.
Insights from Experts
Another industry expert, Steve Springett, elaborates on the complementary nature of different representations. Why limit one when combining DFDs and Attack Trees can provide a comprehensive view?
DFDs most often for new models, lately been using swimlanes more (especially if devs already have them). I am also trying out / experimenting with a focused Wardley map as well, not really confident in this yet but it feels really powerful. - Avi Douglen
Whichever works best for the owners of the system to better express it via the model. If it is me, then probably DFDs. Or Python code! - Izar Tarandach
Steve Springett, another industry expert, elaborates on the complementary nature of different representations.
Why just one? DFDs and attack trees are commonly used in my threat models. In my experience, the DFD can inform the Attack Tree since the DFD will have all the assets and processes that can be attacked. The Attack Tree can then identify things in the DFD that were previously marked as out of scope and we can reevaluate if that truly is the case. But I always start out with a DFD. - Steve Springett
The Importance of Creativity in Threat Modeling
Threat modeling is both an art and a science. It requires a creative mind to explore various representations and not be confined to traditional methods. Embrace the new, and don’t be afraid to experiment.
The journey of threat modeling is a blend of logic and creativity. The choice of representation isn't about right or wrong; it's about what resonates with your system and team. Keep an open mind and let the art of threat modeling inspire your scientific approach.