Threat modeling is an approach that can potentially be overly complicated, but it doesn’t have to be that way, according to Alyssa Miller, business information security officer (BISO) at S&P Global Rating, in a session at the RSA Conference 2022,
Miller also explained an approach for plain language threat modeling that can help accelerate DevSecOps efforts.
“Threat modeling is something we do every day; it’s something that is natural and inherent to us all, ” Miller said.
At the most basic level, she explained that threat modeling is about answering two fundamental questions. The first question is about defining what is important in terms of assets. The second question is what could go wrong regarding those assets that might represent a potential threat.
The Threat Modelling Manifesto
In 2020 at the height of the COVID-19 pandemic, Miller and 14 other security professionals got together virtually and drafted the threat modeling manifesto.
The manifesto is an attempt to help define what threat modeling is all about and provide a set of principles to help guide its practice. The manifesto defines threat modeling as an analysis of a system to highlight concerns about security and privacy characteristics. The output of the threat model informs decisions that an organization might make in subsequent design, development, testing and post-deployment phases.
The manifesto also notes that each organization should have its own methodology for threat modeling that aligns with its business objectives and structure.
Five Values of Threat Modelling
Miller said that there are five values of threat modeling outlined by the manifesto. A culture of finding and fixing design issues over checkbox compliance. She noted that the goal of threat modeling is for it to be part of the culture of an organization. People and collaboration over processes, methodologies and tools. Miller said that IT organizations tend to forget about the people and processes when they become overly focused on automation. A journey of understanding over security and privacy snapshot. Threat modeling is not a point in time activity. Rather it’s a journey where organizations are always trying to find and fix issues. We value doing threat modeling over talking about it. Miller emphasized that threat modeling is an active operation. Rather than just debating what should be done, she suggests that organizations just take a leap and start implementing approaches that help identify and understand threats. Continuous refinement over a single delivery. For threat modeling to work effectively, Miller said that models need to be constantly refined in a repeatable process. Even the building of our threat modeling methodology needs to be a continuous refinement process.
“Our job is to continuously respond to do that we need to continuously improve,” she said.