One of the most important information security books is Adam Shostack's Threat Modeling: Designing for Security. In a world where infosec books can be obsolete after a few years, Threat Modeling is not. The book was first published over 14 years ago and is still quite relevant.
Threat modeling, as defined by Open Worldwide Application Security Project (OWASP), works to identify, communicate, and understand threats and mitigations within the context of protecting something of value. It's a process to identify threats and design flaws in a system.
A threat model is a structured representation of all the information that affects an application's security. In essence, it is a view of the application and its environment through the lens of security. Threat modeling can be applied to various things, including software, applications, systems, networks, distributed systems, Internet of Things (IoT) devices, and business processes.
When I saw Threat Modeling Gameplay with EoP: A Reference Manual for Spotting Threats in Software Architecture (Packt Publishing) by Brett Crawley, I was happy to see that not only was Shostack's book referenced, but he also wrote the foreword.
The gameplay in the title refers to the Elevation of Privilege (EoP) card game Shostack created. Its goal is to help software developers easily and quickly find threats in the software or underlying systems.
The EoP card deck contains threat cards arranged in six suits based on STRIDE. Developed at Microsoft, STRIDE is a model for identifying computer security threats. STRIDE is a mnemonic for spoofing, tampering, repudiation, information disclosure (privacy breach or data leak), denial of service, and elevation of privilege.
TRIM (Transfer, Retention/Removal, Inference, and Minimization) is an extension pack for STRIDE that focuses on privacy. It has aimed to enhance some of STRIDE's shortcomings since its creation two decades ago.
Training around risk and risk modeling can be mind-numbing, and that's on a good day. But gamified threat modeling is a great way to train engineering teams to threat model. It will help them develop the skills needed.
For each of the hundreds of threat models in the book, the card has a definition of the threat, entry numbers for CAPEC (Common Attack Pattern Enumerations and Classifications) and number, OWASP Application Security Verification Standard (ASVS), and detailed mitigation suggestions.
Using a gamification approach in a team environment makes for an engagement training method. If this is done over repeated sessions, the team members will emerge with a thorough understanding of the threats they face. Since it is customized, these won't be the best practices for types of threats—rather, they will be the real-world threats they have to secure their systems against.
Threat modeling is an essential aspect of a comprehensive information security program. For those who want to ensure their staff knows how to deal with threats, the approach in Threat Modeling Gameplay with EoP can be of great value.