SAN FRANCISCO–The concept of threat modeling has evolved quite a lot in the last few years, moving from an activity that massive software companies such as Microsoft and Google use to anticipate and defend against potential threats to their products to something that many smaller organizations practice. Starting a threat modeling system can seem daunting, but the good news is that there’s no one right way to do it, just the right way for a given organization.
Microsoft has been using some form of threat modeling internally for many years now and the company’s security group has spent a lot of time speaking publicly about the benefits of the practice and advocating for wider adoption of it. Adam Shostack, a program manager in Microsoft’s Trustworthy Computing group, has been one of the main proponents of threat modeling’s use, and he said that he’s reached the conclusion that threat modeling is not one defined set of methods or principles but a fluid and dynamic way of reducing security risks to products and services.
“I now think of threat modeling like Legos. There are things you can snap together and use what you need,” he said during a talk at the RSA Conference here Wednesday. “There’s no one way to threat model. The right way is the way that fixes good threats.”
Security experts often will tell developers that in order to build defensible and resilient products, they need to think like an attacker. That is, look at the product or system the way that a potential adversary would see it, find the weak spots that are ripe for exploitation and correct them. But Shostack said that isn’t exactly the most useful advice.
“Being told to think like an attacker is like being told to think like a professional chef,” said Shostack, who recently published a new book on the topic, Threat Modeling: Designing for Security. “A lot of security people like to cook, but if someone told you to go to the store and buy enough chickens for a restaurant that seats 78 people and turns over three times a night, you’d have no idea what to do.”
As with nearly everything in security these days, there are a number of methodologies, models, checklists and other aids designed to help organizations implement threat modeling. Those tools can be useful and have their places, Shostack said, but none of them should be seen as the perfect answer. Rather, use them as part of the process of putting building blocks in place as you construct a threat modeling program.
“We want to focus on finding good threats. Use your assets and the actions of attackers to make threats real,” he said. “It’s hard to go from a checklist to a broader system. You have to think about threat modeling your software as an end-to-end process.”
Of course, even the best and most well-constructed threat modeling program still has to deal with the most unpredictable and dangerous threat to the product: the end user. Trying to predict how users will misuse, abuse and break a piece of software is a fool’s errand, but Shostack said it’s still up to the professionals to put their products in the best position to survive in today’s environment.
“To tell people that they can’t use their computers for what they want it a battler we’re going to lose over and over again,” he said. “People don’t buy their computers to be secure. They buy them to watch dancing babies.”