A group of my #ThreatModeling besties and I have released Threat Modeling Capabilities, the next chapter of the Threat Modeling Manifesto. After a short hiatus, we got back together and brainstormed the next evolution of our efforts to spread threat modeling far and wide.
The Capabilities team includes many of the same authors who wrote the Threat Modeling Manifesto. We welcomed a few new faces, and a few had to bow out due to other commitments. However, we retained our excellence in knowledge, thought, experience, and cordial approach to disagreement. Across the team of fifteen, we have hundreds of years of threat modeling experience.
Of the many groups I've participated in, I've never worked with a more amicable and cordial group of co-conspirators in all my travels. This group reaches a consensus after hearing all sides clearly and respectfully. More groups could learn from this style.
Now, back to the new Threat Modeling Capabilities.
The Threat Modeling Capabilities Pedigree
Capabilities help you cultivate value from your threat modeling practice. They are measurable and practical with provable actions or objectives. You can assess your threat modeling program against these capabilities, using them as a roadmap for where you take threat modeling in the future.
As your threat modeling practice grows, this state-of-the-art document guides it. It's pedigree says it all,
“The creation of the capabilities project took place over most of 2023. It consisted of regular meetings, brainstorming sessions, editing reviews, and civil conversations about the best path forward for those creating or enhancing a threat modeling program. The conclusion of all this effort is the document you are reading now.”
Capabilities are not a measure of levels of maturity. We spent many hours debating this as a team. Capabilities are binary: you either have it or you don't. In the future, we may revisit the idea of levels of maturity tied to specific capabilities or groupings, as OWASP SAMM does in general for AppSec programs.
Enough preamble. Let me take you on a tour of the capabilities with some context to help you understand them better.
Threat Modeling Capabilities Explained
The Capabilities are grouped into seven process areas. Each capability within a group supports the area's objective or “north star.” We created a big-picture idea for each category that the capabilities point towards.
Creating Threat Models
Acting on Threat Models
Each capability employs the same name syntax of verb/noun. Names and their structure are essential because they are what people reference and remember. Thanks to Jonathan Marcil for creating this structure, writing the usage rules, and brainstorming most names.
It's worth stating again: By design, there are zero interdependencies between capabilities. They stand on their own. You either have them, or you don't.
Strategy defines how you approach threat modeling for your entire organization. Strategy is usually laid out by those running the threat modeling program, including their management chain, which approves spending for the program. Embrace input from every level of your organization when strategizing where to go.
The strategy must mandate threat modeling to occur. (Execution Governance). If threat modeling is optional, then value generation is also optional. Threat modeling must be a mandatory practice embraced by management.
The strategy integrates threat modeling into your standard process (Life Cycle Integration). Repeatability stems from a standard approach. Embed threat modeling into the life cycle to ensure that it is performed.
The strategy ensures folks have time to perform threat modeling (Resource Allocation). Without allocated time for an activity, developers and teams struggle with tension. Alleviate tension by educating all levels of management about the threat modeling requirement and ensuring they provide coverage for their teams to perform threat modeling.
Education captures the need to teach people about threat modeling within a program. We cannot assume that developers and other team members come to the program with threat modeling knowledge and experience. We also can't assume they have essential secure development and coding knowledge or experience.
I am breaking the Education group into two sub-groups: informing the program and informing the learning.
Note: some of these breakdowns are my design and are not in the Capabilities document. For me, it is easier to simplify things into even tighter groupings or buckets.
Informing the program is a tactical and programmatic approach that helps people get to training.
Assigning people to perform threat modeling training (Training Assignment). To generate results from training, it must be mandated for those who perform modeling across an organization.
Ensuring that training matches organizational practice and culture (Convention Alignment). It always helps to tailor and customize training to existing organizational learnings. This is a pillar of building a secure culture: embrace what makes this organization different and remember that not every program is cookie-cutter.
Adding new training so folks increase their knowledge over time (Continuing Education). Face it: things change. Threat modeling evolves. We need a vehicle to reinforce anything that has changed and refresh the knowledge of our threat-modeling people.
Informing the learning influences how the training is performed to maximize value.
Role-based threat modeling training (Adaptive Learning). The quality of the learning requires that we provide the proper training for the right people at the right time.
Hands-on, experiential learning by doing (Active Practice). Tailored training must embrace the experience. I have the 30-minute rule of threat modeling that I'm now infamous for, “We are only allowed to talk about threat modeling for 30 minutes before we must threat model something.”
Providing Threat Modeling mentors and coaches to help people understand the threat model better (Execution Support). Experience is the key to embedding the ability to perform threat modeling. Those new to the discipline grow faster when they have experienced professionals to lean into and learn from. Mentors and coaches magnify a program five times over.
Creating Threat Models
Creating Threat Models is the most extensive grouping, with twelve capabilities. Creating influences how individuals and teams perform threat modeling on a day-to-day basis.
I'm splitting Creating into three areas: Formatting and Model Management, Threat Modeling Resources, and Performing Threat Modeling.
Formatting and model management contain the capabilities that define what output from threat modeling looks like and some tactical things we do to track and share models.
Use a consistent format across the organization (Format Consistency). We introduce chaos to the process without a consistent format for threat modeling output. Why inject any more chaos than we already have? A consistent format clearly states where folks need to go with a model.
Versioning threat models (Change Control). Versioning of models allows us to derive metrics and statistics from previous generations of models and provides rollback in case of mistakes made by modifying a model.
Sharing threat models amongst those needing to know (Threat Model Distribution). Sharing threat models is an educational pillar, showing those new to modeling how others with more experience perform. Shared threat models also allow the reuse of ideas and components.
Having a process to revisit a threat model based on relevant changes (Continuous Changes). Updating models is one of the significant challenges teams have – the proper method can direct when to update the model and build more consistency for all involved.
Threat Modeling Resources include tooling, catalogs of reusable items, and the charter to prioritize the right things at the right time.
Using tools to assist the process in helping with modeling and eliciting threats (Tool Assisted Process). Tools are crucial to scaling threat modeling. The right tool enforces the process and allows users to freestyle and capture their creative instincts within a platform.
Creating a reusable store of product-specific threats and mitigations (Pattern Cataloging). Reusing threat and mitigation data and expanding it over time allows each threat model to make the threat modeling collective smarter and increases coverage.
Prioritize the riskiest items to the threat model when resources are limited (Portfolio Prioritization). Prioritizing the portfolio is good business. We live in a resource-constrained world. The ability to choose the most impactful features to model provides the most significant return on investment.
Performing threat modeling includes facilitation, participatory process, shared responsibility, collaboration, and inputs on the future of threat modeling.
Having facilitators or experienced threat modeling people to help folks learn and get better at the process (Experience Availability). Experienced individuals and facilitators are teachers who bring the team along. I'd rather teach a developer to fish than feed them for a week.
Getting the right functional roles to the threat modeling process (Fostering Participation). Participation from people in diverse functional roles is the only path to enlightened modeling. Diversity of function unlocks new threats that most have never thought of before.
Ensuring that teams know they own their threat modeling and take responsibility for it (Shared Responsibility). Every team must own their piece of the threat modeling challenge. Sharing responsibility is the only scalable way to build a program. The most mature programs have developers perform threat modeling and rely upon mentors and coaches for assistance.
Building a collaborative, blame-free culture around threat modeling (Active Collaboration). Collaboration is another critical need. With the world embracing remote work, teams can’t gather around the physical whiteboard. They need a method to collaboratively threat model with co-workers around the globe in a culture that recognizes the value of everyone's input, and does not punish people based on their findings or thoughts.
Including outside threat knowledge to inform the existing architectures (System and Threat Comprehension). Nobody knows all the threats and mitigations, and these things constantly change. External sources must inform the best threat modeling processes.
Acting on Threat Models
Acting on Threat Models captures the most essential part of threat modeling: the mitigation follow-up. Threat models are only as good as their mitigations. If teams are creating models with hundreds of threats based on the tightest diagrams in the business, but they don't mitigate anything, then everyone is wasting their time. You must act on the results of your threat model for those results to be valuable.
Acting on Threat Models begins with criteria for defining a complete model (Definition of Done). The definition of done solves one principal challenge from new threat modeling people. How the heck do I know when I'm done with this model? DOD sets the standard for completion and excellence.
Acting on threat models must align with other lifecycle functions (Seamless Alignment). Modeling must line up with other areas within the lifecycle.
Using metrics ensures the bar is rising (Baseline Improvement). Metrics are how we prove that our efforts are worth the dollars and hours expended by the teams.
Partnership with risk management (Risk Management). Threat modeling has always needed a partnership with risk management. They can be friends.
Communication is included in every stack, framework, maturity model, or set of capabilities. A program can only succeed by communicating up and down within the organization. Threat modeling is no different.
Communication includes celebrating success and learning from failures (Positive Reinforcement). We want threat modeling to move the culture forward. We achieve this by celebrating those who move modeling forward and learning from what didn't work well. Having proper feedback loops unlocks future improvements.
Communication utilizing soft skills for threat modeling success (People-Skills Development). Soft skills get a bad rap as things that are second to technical skills. Face it: soft skills are how you accelerate inside any organization. Those without soft skills struggle to move anything forward, including their career. Threat modeling needs soft skills, as they make you a better threat modeling person. Take active listening – we all win when I listen to a developer explain a feature and ask clarifying questions. I help lead them into a better threat model, and they get a more secure and private feature. Win-win-win.
Communication collecting input from stakeholders (Feedback Collection). Input is crucial. We need to know how we're doing from stakeholders and those executing the threat modeling process.
Communication enables productive dialogue amongst threat-modeling teammates (Constructive Conversations). Conversation is vital in threat modeling and could be lumped in as a soft skill. The ability to ask the right questions at the right time is a superpower.
Communication is keeping ears open to other thoughts and viewpoints in the conversation (Listen to Diverse Viewpoints). Listening is another soft skill. To have a great conversation, I must listen to what my teammates tell me and ensure I understand their perspectives.
Measure what matters. Metrics drive success because, without metrics, everything is a guess. Threat Modeling programs need measurement to show value and how far the needle moves based on investments made.
Measurement includes calculating a return on investment for the program (Value Assessment). ROI is what businesspeople love. Expressing that we'll spend $1 to protect $10 excites businesspeople. Businesspeople love threat modeling when threat modeling generates measurable value.
Measurement uses dashboards and metrics to visualize program improvements (Status Tracking). Dashboards and metrics allow the capture of value generation and productivity across the threat modeling program.
Threat modeling metrics to complement the risk management process (Quantified Risk Management). Once again, risk management and threat modeling want to be better friends. Let's encourage friendship by providing metrics that simplify the risk management process and generate better results.
Program Management joins measurement and Communication as the trifecta of things that are required for the success of anything. Program Management defines how to structure and build the program to be world-class.
Program Management includes building a program demonstrating visual value (Value-Driven Management). Structure, definition, and management determine the value people will take away from a program. If the program needs to be better structured, defined, and managed, teams will find excuses not to threat model. Lock in the program tightly and show value.
Program Management evolves and increases value with each evolution (Simple Changes). Based on feedback, change the program in small increments and ensure that you believe each change will provide incremental program value.
Program Management is flexible in methodologies for different contexts (Methodological Openness). Remain open in your definition of methodology. There are many methodologies in the threat modeling world; with threat modeling, it's about success. If a methodology breeds success for a team, allow them to keep moving forward and changing the world a small step at a time.
Program Management is driven by metrics (Metrics-Driven Management). Metrics drive money. Money determines how far the program can go.
The program takes input from stakeholders in its evolution (Collaborative Program Development). Stakeholders are crucial because they either perform the modeling or pay for it. Listen to their feedback and evolve the program to add incremental value.
A journey of a million miles begins with a single step. Threat Modeling Capabilities is a catalog and a roadmap for the journey. You have taken the first step by investigating the Capabilities and beginning to understand them. The next step is to assess your program against them. Remember, the result is a zero or one. There is no partial credit. From there, build a list of the capabilities you want to instill in your organization over the next six months and get to work. And let us know how it goes. We'd love a postcard from the road!