[HN Gopher] How we threat model
___________________________________________________________________
How we threat model
Author : arkadiyt
Score : 20 points
Date : 2020-09-13 19:25 UTC (3 hours ago)
(HTM) web link (github.blog)
(TXT) w3m dump (github.blog)
| rbolla wrote:
| tl:dr; Microsoft's Thread Modeling tool OWASP's Threat Dragon.
| segfaultbuserr wrote:
| The automatic anti-clickbait algorithm screwed the title again.
| Please re-add the word "How".
| baby wrote:
| Thanks for the article! Some comments:
|
| - this methodology lacks what I think is a good threat model: a
| list of attacks your system wants to defend against, attacks that
| are not in scope, and the attacker model (attacker has access to
| the network at all time, can tamper with traffic, etc.)
|
| - likelihood of each attack vector helps prioritization of work
|
| - STRIDE sucks in my opinion, but it's a good start for people
| who have no clue about threat modeling. Are there any other
| models like that to follow?
|
| - frequency: this overlooks how hard it is to get devs to go
| through that work, taking into accounts that people are always
| busy. How do you streamline this process and how do you argue for
| the value of repeating this exercise frequently?
|
| - different types of threat models: what about deployment? What
| about updates? What about ci/cd? All of these have threat models
| as well.
|
| - different layers of threat models: I like the idea of a global
| threat model managed by the security team with sub threat models
| managed by teams owning different components, as these can help
| guide design decisions For new features and refactors
| Veserv wrote:
| You are being far too kind. The things you mention are the
| essence of a threat model. The fact that the article mentions
| none of those things and instead proposes something that can
| not, by any reasonable definition, be considered threat
| modeling and the fact that they think what they propose is
| threat modeling demonstrates gross systemic incompetence in
| their security organization.
|
| In no universe can this: "A threat model is a collaborative
| security exercise where we evaluate and validate the design and
| task planning for a new or existing service." be considered the
| definition of a threat model. It mentions nothing of "threats"
| or modeling them and at no point in the article do they
| describe actual threat modeling, so this is not a disconnect
| between definition and action. They also mention: "Then,
| holistically evaluate the entire surface area and develop the
| most likely points of compromise. This is the key deliverable."
| which again completely misses the point of threat modeling as
| that is identifying where they are weak, not where they will be
| attacked (though they are likely to be related). This is
| conflating "know your self" and "know your enemy" which is
| ridiculous. What they appear to actually be describing in the
| article is the most rudimentary security process of actually
| evaluating their own systems which is a prerequisite for a
| functional security process since you can not shore up
| weaknesses without understanding where they are. So, my best
| possible interpretation is that their security organization
| seems to think "threat modeling" is a catch-all term for any
| security process which is a baffling degree of institutional
| incompetence.
___________________________________________________________________
(page generated 2020-09-13 23:00 UTC)