Humans are wired to threat model, and many do it on a daily basis: Is it safe to walk down a particular street at night, park cars in a certain neighborhood or have deliveries left on the front doorstep? By imagining threat scenarios and then calculating their impacts, it's possible to minimize risk while investing a minimum amount of time. The problem? Humans aren't always great at determining the likelihood of particular threats, especially those with emotional impact. For example, many people fear flying far more than driving, despite the fact that airplanes are significantly safer than cars. Shark attacks rarely occur, but they carry a strong emotional component that can make them seem more likely.
Companies experience the same problem. While imagination is required to design new threat models, the emotional impact from a data breach or loss of sensitive company information is often tied to high-profile news reports of vulnerabilities or code flaws. This drives enterprises to overinvest in traditional security measures, or underinvest if they're dealing with new technology. In a CSO Online article, author Tony Bradley recounts a story from Michael Howard, the principal consultant for cybersecurity with Microsoft. Howard had interviewed a grad student from a high-ranking university about a mobile technology project she was working on. When asked about potential security concerns, her response was that she hadn't thought about them — and didn't care. Or consider the frustration of InfoWorld's Roger A. Grimes, a security consultant who often suffers through the same discussion with clients: He asks them to predict their most likely threat vectors, and they ask for technology such as smart cards and advanced firewalls. Bottom line? A good imagination is required to effectively threat model, but enterprises must stay firmly grounded in reality.
The easiest way to think about application threat modeling is to break the concept into its component parts: risk and vulnerability. Risk must exist for a threat to develop, and it could take the form of sensitive data, server uptime or anything else of value that would have a serious and immediate impact if compromised. But risk alone is not enough — every enterprise has critical assets. To create a viable threat, a vulnerability such as poor coding, insecure third-party applications or lackluster internal access control must also exist. The key to threat modeling, therefore, is to look at the issue from both sides: What assets are at risk, and how could attackers potentially access them? With a healthy dose of imagination — rooted firmly in data, rather than emotion — and the support of advanced application security controls, it's possible to model attacker methods and create robust defenses.
Want better protection from malicious attackers? Use your imagination.
Threat Modeling: Designing for Security by Adam Shostack, who is responsible for security development lifecycle (SDL) threat modeling at Microsoft.
Photo Source: Flickr