By William Zhang, Lead Security Architect, The World Bank Group
The Peer2Peer session Threat Modeling for Risk-Based Application Security Design was fully attended, with delegates representing healthcare, government, financial service, software industry, retail, industrial, and other industries.
For which projects do you require a threat modeling exercise?
Some organizations require all projects to go through threat modeling, while others take a risk-based approach, in which the risk is based on the architecture complexity (topology) of the proposed solution and data classification.
The general consensus is that it is more effective to take a risk-based approach or tiered approach to focus on high-risk projects. Requiring every project to go through this step can make people think this is just a routine task and the activity is likely to generate diminishing returns.
Who would conduct the threat modeling?
Some organizations train software engineers to conduct the threat modeling. This seems more effective in organizations whose core business is software development, or who have long-term in-house software developers.
Other organizations would have the information security team conduct the threat modeling, with project team members participating.
Some organizations use games to make the threat-modeling activity more interesting. Some give incentives for project team members to actively participate in this activity.
The most simply way is to have a threat taxonomy in a spreadsheet, and for each project, rate each threat as high, medium, low or not applicable.
What threat modeling techniques do you use?
The most popular threat-modeling framework is STRIDE (spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege).
Other framework used by the participants include:
OWASP threat modeling method (https://www.owasp.org/index.php/Application_Threat_Modeling)
SEDA (IBM’s internal threat modeling tool)
WASC threat modeling taxonomy (http://projects.webappsec.org/w/page/13246978/Threat%20Classification).
Books and Tools for Threat Modeling
Adam Shostack’s book “Threat Modeling: Designing for Security” (additional resource from him can be found at http://threatmodelingbook.com/)
Ross Anderson’s book “Security Engineering: A Guide to Building Dependable Distributed Systems.” (The whole book is online at http://www.cl.cam.ac.uk/~rja14/book.html)
MyAppSecurity (http://myappsecurity.com/) has a threat modeler.
Microsoft provides a free threat-modeling tool.
Cigital provides threat modeling service and is said to be working on a tool to threat modeling (https://www.cigital.com/services/architecture-analysis/threat-modeling/)
William Zhang currently leads the security architecture team at the World Bank Group, with a large portfolio of IT solutions that serve employees and partners across the globe. Threats, vulnerabilities and risk are the essential components in our security architecture design work, both at the enterprise platform level and the individual solution level. In the past five years or so, our team has tried various ways of conducting threat modeling, using industry threat modeling tools such as STRIDE. The team also mapped a set of security controls to the various threats and used this mapping to facilitate the security design recommendations. Prior to the World Bank Group, William spend 10 years in the financial industry IT field, as system architect and security architect, among other roles.