[HN Gopher] How we threat model ___________________________________________________________________ How we threat model Author : arkadiyt Score : 20 points Date : 2020-09-13 19:25 UTC (3 hours ago) (HTM) web link (github.blog) (TXT) w3m dump (github.blog) | rbolla wrote: | tl:dr; Microsoft's Thread Modeling tool OWASP's Threat Dragon. | segfaultbuserr wrote: | The automatic anti-clickbait algorithm screwed the title again. | Please re-add the word "How". | baby wrote: | Thanks for the article! Some comments: | | - this methodology lacks what I think is a good threat model: a | list of attacks your system wants to defend against, attacks that | are not in scope, and the attacker model (attacker has access to | the network at all time, can tamper with traffic, etc.) | | - likelihood of each attack vector helps prioritization of work | | - STRIDE sucks in my opinion, but it's a good start for people | who have no clue about threat modeling. Are there any other | models like that to follow? | | - frequency: this overlooks how hard it is to get devs to go | through that work, taking into accounts that people are always | busy. How do you streamline this process and how do you argue for | the value of repeating this exercise frequently? | | - different types of threat models: what about deployment? What | about updates? What about ci/cd? All of these have threat models | as well. | | - different layers of threat models: I like the idea of a global | threat model managed by the security team with sub threat models | managed by teams owning different components, as these can help | guide design decisions For new features and refactors | Veserv wrote: | You are being far too kind. The things you mention are the | essence of a threat model. The fact that the article mentions | none of those things and instead proposes something that can | not, by any reasonable definition, be considered threat | modeling and the fact that they think what they propose is | threat modeling demonstrates gross systemic incompetence in | their security organization. | | In no universe can this: "A threat model is a collaborative | security exercise where we evaluate and validate the design and | task planning for a new or existing service." be considered the | definition of a threat model. It mentions nothing of "threats" | or modeling them and at no point in the article do they | describe actual threat modeling, so this is not a disconnect | between definition and action. They also mention: "Then, | holistically evaluate the entire surface area and develop the | most likely points of compromise. This is the key deliverable." | which again completely misses the point of threat modeling as | that is identifying where they are weak, not where they will be | attacked (though they are likely to be related). This is | conflating "know your self" and "know your enemy" which is | ridiculous. What they appear to actually be describing in the | article is the most rudimentary security process of actually | evaluating their own systems which is a prerequisite for a | functional security process since you can not shore up | weaknesses without understanding where they are. So, my best | possible interpretation is that their security organization | seems to think "threat modeling" is a catch-all term for any | security process which is a baffling degree of institutional | incompetence. ___________________________________________________________________ (page generated 2020-09-13 23:00 UTC)