http://blogs.msdn.com/sdl/archive/2007/09/26/the-trouble-with-threat-modeling-2.aspxAdam Shostack here. I said recently that I wanted to talk more about what I do. The core of what I do is help Microsoft’s product teams analyze the security of their designs by threat modeling. So I’m very concerned about how well we threat model, anden-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/sdl/archive/2007/09/26/the-trouble-with-threat-modeling-2.aspx#5149577Wed, 26 Sep 2007 22:36:59 GMT91d46819-8472-40ad-a661-2c78acb4018c:5149577Techy News Blog » The Trouble with Threat Modeling<p>PingBack from <a rel="nofollow" target="_new" href="http://www.artofbam.com/wordpress/?p=3149">http://www.artofbam.com/wordpress/?p=3149</a></p> http://blogs.msdn.com/sdl/archive/2007/09/26/the-trouble-with-threat-modeling-2.aspx#5428001Fri, 12 Oct 2007 23:06:56 GMT91d46819-8472-40ad-a661-2c78acb4018c:5428001Michael Howard's Web Log<p>At Microsoft, we have been using various forms of threat modeling for years now, and we're always learning</p> http://blogs.msdn.com/sdl/archive/2007/09/26/the-trouble-with-threat-modeling-2.aspx#5472511Tue, 16 Oct 2007 19:08:04 GMT91d46819-8472-40ad-a661-2c78acb4018c:5472511greg hughes - dot nethttp://blogs.msdn.com/sdl/archive/2007/09/26/the-trouble-with-threat-modeling-2.aspx#5472515Tue, 16 Oct 2007 19:08:49 GMT91d46819-8472-40ad-a661-2c78acb4018c:5472515greg hughes - dot nethttp://blogs.msdn.com/sdl/archive/2007/09/26/the-trouble-with-threat-modeling-2.aspx#8682249Thu, 03 Jul 2008 00:18:33 GMT91d46819-8472-40ad-a661-2c78acb4018c:8682249Jim Yuill<p>I found Threat Modeling (TM) to be puzzling and confusing at first. &nbsp;What helped in understanding TM was realizing that it is built for some specific conditions at MS. &nbsp;I'm posting an explanation, should it be of help, and also, to get feedback. &nbsp;I’m investigating SDL and TM for use in an open-source system being developed at North Carolina State University.</p> <p>TM focuses on finding security problems in an existing system, or perhaps in a new system whose design has largely been worked-out. &nbsp;In the MS books on SDL and TM, it seems TM is the central component in the SDL. &nbsp;For instance, TM is the largest section in the SDL book, and there is an entire TM book. &nbsp;However, it seems security design should be a more central and prominent component of an SDL than TM. &nbsp;Ideally, security should be correctly put in the system when it is designed. &nbsp;TM is largely a form of testing, used to find security problems in the design. &nbsp;SDL does have a security-design step. &nbsp;It is SDL’s third step, and TM is the fourth. &nbsp;I found it puzzling and confusing for TM to have such a central role in security development, and that it is given more attention than security design.</p> <p>Another thing that was confusing about TM is the way it overlaps with SDL’s security-design step: &nbsp;the security-design step involves TM activities, and TM involves security-design activities. &nbsp;For instance, during the security-design step, attacks should be considered. &nbsp;However, considering attacks is what the TM process does. &nbsp;Further, the TM process involves &quot;mitigation of threats&quot;. &nbsp;However, this mitigation of threats is really security design. &nbsp;I found it puzzling and confusing for TM and security-design activities to be mixed between the two steps. &nbsp;Why not have a single security-design step, and it would compose a design based on assets to be protected, system vulnerabilities, potential attacks (e.g., STRIDE), and available defensive countermeasures (e.g., that provide CIA)?</p> <p>What helped in making sense of SDL’s security-design and TM &nbsp;was considering MS’s environment. &nbsp;This explanation is speculative, but it seems plausible:</p> <p>1) &nbsp;In general, MS’s developers are not security experts. &nbsp;Apparently, during the system design stage, MS developers do the best job they can on security design. &nbsp;Having a separate TM stage provides a way for the security department’s experts to review the security design and find problems. &nbsp;If MS had a single security-design step, then all the system designers would need to have security expertise, and this is not feasible.</p> <p>In general, it’s not practical to expect that most developers be security experts. &nbsp;Security engineering is a unique skill, just as technical writing is a unique skill. &nbsp;It’s well known that programmers typically dislike technical writing and many lack writing aptitude or skill. &nbsp;Similarly, security engineering requires a certain savvy, and not all developers have aptitude for security engineering. &nbsp;Further, acquiring security skills takes time and experience.</p> <p>2) &nbsp;SDL grew out of MS’s efforts to reduce the high incidence of security bugs in its products. &nbsp;TM is largely a form of testing, used to find security problems in the design. &nbsp;SDL’s focus on TM may have been motivated by MS’s goal of dramatically reducing security bugs in the short term.</p> <p>Another reason for separate security-design and TM steps could be complexity. &nbsp;Security design is complex, and although it involves consideration of attacks, it could be helpful to have an additional step that focuses exclusively on attacks.</p> <p>In summary, I found it puzzling and confusing for TM to be the central step in SDL. &nbsp;Also, it was puzzling why SDL’s security-design and TM steps overlapped. &nbsp;It would seem best to have a single security-design step and for it to be central in the SDL. &nbsp;I found SDL and TM made much more sense when we considered them in the context of Microsoft’s development and security teams and Microsoft’s security objectives.</p> <p>Jim Yuill</p>