The Art and Science of Threat Modeling Representation

Understanding Threat Modeling

The Threat Modeling Manifesto defines threat modeling as “analyzing system representations to highlight security and privacy characteristics concerns.”

The practice of threat modeling goes beyond mere technical analysis. It involves analyzing representations of a system to uncover concerns related to security and privacy attributes. So, what exactly does representation mean in this context, and why does it matter?

The Essence of Representation in Threat Modeling

A representation is more than just a diagram; it's a conceptual framework. It's the lens through which threat modelers glimpse the soul of what they're modeling. Drawing substantial security or privacy conclusions becomes an uphill battle without a well-constructed representation.

Forms of Representation

Data Flow Diagram

This diagram simplifies the complex flowcharting process, instead utilizing a limited set of elements, encompassing process, data flow, data store, external entity, and trust boundary.

Attack Tree

A conceptual diagram that illustrates how an asset might be attacked. It's like a roadmap to the vulnerabilities of your system.

Swim Lane Diagram

This type of diagram visually differentiates responsibilities within the sub-processes of a business operation, like lanes in a swimming pool.

Pseudo-code

It's not quite code but a plain language description of coding steps. Think of it as a rough sketch before the masterpiece.

The Napkin Approach

Sometimes, complexity can be scribbled on a napkin during a casual lunch meeting. Simplicity has its elegance, too.

The Functionality of Representations

While representations can manifest in various forms, they serve a unified purpose: to assist the threat modeling team in uncovering the best possible threats and solutions. They're like the keys to the kingdom of understanding your system.

Popular Preferences in the Industry

A recent LinkedIn poll and insights from industry leaders like Avi Douglen and Izar Tarandach reveal the preference for data flow diagrams. But there's no one-size-fits-all. Swim lanes and Python code have their champions, too.

Insights from Experts

Another industry expert, Steve Springett, elaborates on the complementary nature of different representations. Why limit one when combining DFDs and Attack Trees can provide a comprehensive view?

DFDs most often for new models, lately been using swimlanes more (especially if devs already have them). I am also trying out / experimenting with a focused Wardley map as well, not really confident in this yet but it feels really powerful. - Avi Douglen

Whichever works best for the owners of the system to better express it via the model. If it is me, then probably DFDs. Or Python code! - Izar Tarandach

Steve Springett, another industry expert, elaborates on the complementary nature of different representations.

Why just one? DFDs and attack trees are commonly used in my threat models. In my experience, the DFD can inform the Attack Tree since the DFD will have all the assets and processes that can be attacked. The Attack Tree can then identify things in the DFD that were previously marked as out of scope and we can reevaluate if that truly is the case. But I always start out with a DFD. - Steve Springett

The Importance of Creativity in Threat Modeling

Threat modeling is both an art and a science. It requires a creative mind to explore various representations and not be confined to traditional methods. Embrace the new, and don’t be afraid to experiment.

Conclusion

The journey of threat modeling is a blend of logic and creativity. The choice of representation isn't about right or wrong; it's about what resonates with your system and team. Keep an open mind and let the art of threat modeling inspire your scientific approach.