In episode one of the Threat Modeling podcast, host Chris Romeo explores various definitions of threat modeling gathered from industry experts. The podcast discusses whether risk assessment and threat modeling are the same, the essence of threat modeling, collaboration and documentation, identifying and mitigating threats early, the Five W's and an H approach, structured brainstorming, and proactive security. The Threat Modeling Manifesto's definition is favored by Chris, which states that threat modeling is "analyzing representations of a system to highlight concerns about security and privacy characteristics." In addition, the podcast highlights that threat modeling involves art, science, collaboration, and brainstorming, aiming to improve security and privacy in systems.
Chris:
Welcome to episode one of the Threat Modeling podcast. I'm your host, Chris Romeo. In case you forgot, I'm on a journey to understand threat modeling more deeply. In case you didn't know, I'm an application security practitioner. I'm a podcast host and also a self-described threat modeler to the stars. So let's start with defining what the heck threat modeling is. I went to where everyone goes when they need an eternal source of knowledge. The internet. I asked a simple question on Twitter and LinkedIn. What is threat modeling? I decided to keep it simple to avoid leading the witnesses. I received 15 responses to the question from many folks that I respect from across our industry. These definitions provide many different angles and perspectives on threat. However they all work together to explore further and describe the essence of threat modeling. We'll start with the idea that risk assessment and threat modeling are the same. Doug Landal is a cybersecurity risk and compliance expert. Doug focuses on application risk assessment as a critical component in cybersecurity. He suggests that the term threat modeling can be misleading. It implies the process is limited to modeling threats while it encompasses much more. From Doug's viewpoint, threat modeling is a security risk assessment and application analysis. While I understand what Doug says, I would separate threat modeling from risk assessment Instead. Risk assessment carries baggage in my mind. This could be because of my history and security for the past 25 years. When I think risk assessment, I think compliance activity that measures what we've built. So something that's focused on more of the past tense, while threat modeling for me is about changing what we're making now and what we're making into the future. The following two definitions help to capture the essence of threat modeling. First, Jeff Williams, the co-founder and CTO at Contrast defines threat modeling as the art and science of figuring out whether your defenses are sufficient to counter the threats you care about. I like that Jeff uses the terms art and science. Threat modeling contains art through creativity and science by using a defined process that provides some regularity to each model. Nigel Hansen, a CISSP, global AppSec and hardware security expert describes threat modeling as people working through four main questions to identify potential issues that no tool will likely find. These questions help in identifying what could go wrong. Adam Shostack's now famous Four Questions define the essence of threat modeling, and we'll explore them in more depth in a later episode. Ken Toller, an application blockchain and cloud security professional, sees threat modeling as an exercise in formalizing information discovery through collaboration. This collaboration helps to document and prioritize risks and determine expected controls effectively. Collaboration with threat modeling is a crucial principle. When a person threat models in a vacuum, the resulting model will never be as good as when collaborating with others to expand the universe of applicable threats. Jayanthi Manikandan emphasizes the importance of proactively identifying threats early in the software development lifecycle to mitigate them appropriately resulting in a safer and more secure system. Mitigating threats early is a crucial property of threat modeling. We want to consider the issues before a feature reaches production. According to RG Williams threat modeling is about answering the who, what, when, where, why, how, and most importantly, to what. By identifying the assets and understanding the potential risks, teams can create a plan to prevent harm from attackers or circumstances. I like this approach to thinking about threat modeling. It encompasses a process within and guidance on how to consider specific threats. Avi Douglen and Kim Wuyts both agree that threat modeling is a structured approach to thinking about security and a focused brainstorming session to consider what could potentially go wrong. Tanya Jenka also views it as a brainstorming session about what might go wrong and what to do about it. I like the inclusion of brainstorming in the essence of threat modeling. Brainstorming is a piece of a successful approach because brainstorming pushes us beyond the threats that we can understand via various methodologies. All these previous definitions have helped me to expand my understanding of threat modeling. It's powerful to take a concept that I consider nebulous and think about each facet brought into view by various experts. Powerful stuff. My favorite definition of threat modeling comes from the threat modeling manifesto. Side note, I was lucky enough to be a contributor to the manifesto. As we created the document, we extensively discussed and debated the definition of threat modeling. As a result, all of us authors came from different backgrounds and perspectives, and this definition is what we could all live with. The manifesto says threat modeling is analyzing representations of a system to highlight concerns about security and privacy characteristics. The first part of the definition uses the term representations. Representation is any way of describing the subject to the threat model. A representation can exist in many different forms. It could be a picture, it could be a verbal description of how something works. A person could even scribble a representation on the back of a napkin. The point is that the representation is what we analyze. Analyzing, uses a systematic process to iterate across the representation, looking for potential issues to mitigate. The definition focuses on both security and privacy characteristics. Both are crucial to the success of a new feature or system. If we bring words from each of the definitions for threat modeling together, it will help us to understand the essence of threat modeling, art, science, collaboration, early who, what, when, where, why, and how, and brainstorming. All of these are pieces that contribute to successful threat modeling. I still favor the threat modeling manifesto definition because I can simplify it even more to say analyzing representations to highlight security and privacy issues. Now that we have a working definition of threat modeling, we can continue, and explore, Adam Shostack's four questions.