The Threat Modeling Podcast

Akira Brand -- Gaining Experience by Threat Modeling

Chris Romeo Season 1 Episode 7

Akira Brand joins Chris to talk about her journey into threat modeling, her early experiences, some lessons learned, and how she knew her threat model was successful. Akira's experiences emphasize the importance of collaboration, understanding the application, and using tools and diagrams to aid the process.

Akira is a visual thinker and draws parallels between surgical checklists and the STRIDE model. Akira emphasizes the importance of a comprehensive approach, likening the STRIDE model to a surgeon's checklist that ensures all potential threats are addressed.

In her initial foray into threat modeling, she identified a significant security risk due to excessive permissions in an application. To understand and address this, she delved deep into the application's architecture, relying on data flow diagrams and a hands-on approach rather than a purely theoretical one.

Akira's story underscores the power of collaboration. Her challenges were overcome by the combined efforts of teams from engineering, data analytics, and security. She believes that the true measure of success in threat modeling is when diverse teams come together to create holistic security solutions.

Welcome to Smart Threat Modeling. Devici makes threat modeling simple, actionable, and scalable. Identify and deal with threats faster than ever. Build three free models and collaborate with up to ten people in our Free Forever plan. Get started at devici.com and threat model for free! Smart threat modeling for development teams.

Chris Romeo: Do you ever wonder how people get into threat modeling? Some people find threat modeling without any previous experience. And that's the story I'm going to tell. Akira Brand found threat modeling without any prior experience and landed with an excellent result and a number of lessons learned.

Akira Brand: My name is Akira Brand. I currently work as an application security engineer at a company called Resilia. Resilia is a for-profit company that exists to empower and enable nonprofits to scale and become more sustainable. I also am a co-host of Application Security Weekly podcast. I do that a few times a month. I've been doing that for about six months now, which is a lot of fun. And in my free time, I like to work in my garden, I like to grow gourmet mushrooms in my basement, and I live in the Rocky Mountain region.

Chris Romeo: It's helpful to gain insight about Akira, to understand how and why she went after threat modeling, even though she'd never done it before.

Akira Brand: In the olden days, before I was a technologist, I used to work in classical music. I was an opera singer. I would always pick hard stuff to sing, all the time. I didn't do it because it was hard, I just did it because I liked it. And I would have colleagues be like, “God, that piece is so hard! How did you, how did you do that? That's amazing!” I was like, “Oh, it's hard?” I just, I didn't know, right? I didn't know that it was hard, I just did it. And I feel like that's, maybe something you're pointing to, is maybe I didn't know how hard it was, I just did the thing.

Chris Romeo: Akira is not afraid of a challenge and doesn't shy away from things because they may be difficult. Side note, did you catch that Akira used to be an opera singer? I couldn't resist asking for a small sample of opera to up our classiness level on this podcast. 

 (Akira singing...) 

Chris Romeo: Akira found the world of threat modeling after starting at Resilia.

Akira Brand: One of my first tasks that my manager gave to me was to threat model an integration with a third party. And I was like, “Cool, what's threat modeling?” Kind of like that old joke from Bill Cosby where God comes down and tells Noah, “Hey, you have to build an ark.”And Noah goes, “Cool. What's an ark?” That's kind of what I did. “Cool, what's a threat model?” That's where I started with it. so I really just jumped in head first, learning what the thing actually was as I was doing it.

Chris Romeo: After Akira had her tasking, she needed to work out a process. She dove headfirst into understanding the application.

Akira Brand: The first thing that I did is I tried to get an overview of the application itself and where it intersected with this external integration. I needed to understand how our application worked in this particular area. And this was probably my first month on the job. I didn't know a lot about how our app worked at all.

This is a really good way to like dive deep and understand the architecture of the application itself, as well as how this external area will fold into it. 

The main resources that helped me were existing data flow diagrams that our company had already prepared. I studied those for quite some time to understand the different layers of the application, as well as the specific area of the application that was doing this third-party integration, to understand where the data was flowing, what was connected to what, where.

It was interesting because I didn't start on a theoretical level. I started very much in the nuts and bolts, in the actual work of threat modeling. 

I wasn't the kind of person that was able to have that luxury of going to Adam Shostack's four questions and asking, “Okay, what are we protecting here? Did we do a good job?” I know a lot of people will start with that kind of theoretical top-down, and I did not. I started very much from the bottom up of here is this third-party integration. It was called Preset.

Here's how it works, here's how our app works, and here's how we have to mash the two together. How do we do this in a secure manner by using threat modeling tactics such as data flow diagrams?

Chris Romeo: Akira started threat modeling by doing threat modeling. She didn't spend months reading books and taking classes. She rolled up her sleeves and figured it out. She figured out a developer approach to threat modeling.

Akira Brand: It was definitely not academic, for sure. Definitely more of a developer approach in that it was like, okay, you need to learn the different sections of the app. I'm sure you're going to study the DFDs, but then you're going to make a DFD the next day. And that's kind of been a theme of my AppSec career thus far, is it is a little bit more of a developer-esque approach.

It's not like, I don't know a lot of the theory first and then do it. I do it, and then I understand the theory as I'm doing it.

Chris Romeo: Akira used data flow diagrams as their primary representation because there were existing threat models using DFDs.

Akira Brand: I think I use them because yes, they were what had already been done. But also, for me, I'm a very visual person. If I can write something down, and chart it, and put it in a box, and put an arrow to another box, and that will explain how things work to me much better than the written word or even auditory explanations.

For me, I did the DFDs not only because it's a formalized way to threat model, but because it helped me understand what was going on with our application. 

Chris Romeo: Dataflow diagrams can be drawn on a whiteboard manually, but most folks use tools to create them. What tools did Akira use to create data flow diagrams?

Akira Brand: I used Lucidchart, that was my main tooling. I also did interviews with the engineers. I essentially had them walk through the sections of the app that we were threat modeling, and just explain to me how things worked. We did step through the code a little bit as well.

Chris Romeo: But how did Akira have a source of threats if she was figuring out the process and approach as she moved forward? Isn't a knowledge base of threats part of the theory we learn about threat modeling?

Akira Brand: I was really blessed because I came into this job while one of our engineering pods was working on a particular feature using Preset and they were very security-minded from the get-go. Hey, we need to figure out how we can do this preset integration in a secure manner. 

It wasn't like we had some kind of charter or ledger or rating system or matrix where it was like, oh, we think preset is really important to look at right now because of XYZ grading system. It was literally just what was top of mind and what we were doing at that exact moment. Which I'm also finding is, in a way, a little bit more of a realistic approach to threat modeling.

Chris Romeo: Threat model when pairing with a development team. Threat model the things they're working on now versus making threat modeling an academic exercise assessing the things they might build in the next year.

Akira Brand: I know that there's strategic ways to discover what should we threat model? What is priority? But at the end of the day, if there's a huge feature that the company is going to unroll, you gotta make sure they're doing it securely.

Like, you know, rating systems be damned as it were.

Chris Romeo: But how did Akira know what threats to consider without any methodology in mind? I found that people often struggle with the blank screen problem when they're new to threat modeling, and methodologies such as STRIDE are a teaching aid to get the threat modeling brains moving forward.

Akira Brand: I think that using things like the STRIDE model is good, but I think you can checklist it. For example, say, you're in a surgery room and you're a surgeon or you're a surgical nurse. There's a checklist of 20, 30 things you have to do before the surgery starts every single time you do the surgery, just to make sure that you have a better chance of success.

Think that things like the STRIDE model are essentially the quote unquote surgical checklist for threat modeling. If you can follow these patterns, it won't automate it for you. You're still going to have to do a bit of manual work. However, it will allow you to fill up holes, or fill in gaps, or work out kinks that are basic to every single threat model. 

Chris Romeo: Back to our story of Akira's first threat model. What threats did Akira find? 

Akira Brand: Essentially we were having too many, too many permissions. There was a section of the application that allowed users to do way too many things, way more than they should be allowed to do, and the way that we could fix it was not straightforward. The way we would fix it with this integration with Preset was not like, oh, we'll just give a little bit less permission to this particular user group. 

It wasn't like they called the security team in and said, Hey, we think this is a problem. The security team's like, Oh, actually it's isn't really a big deal. It was definitely an aligned, this is something we need to fix. And we're still honestly constantly refining this particular section of our application.

We had to pull in the data and analytics team as well. We, at the end of the day had engineering, data, and analytics, and security all working together to get this to work.

Chris Romeo: Akira was working with a strong team in security and had insight into the security challenges that their feature faced. Nothing beats working with a team that has a solid security foundation. A team needs a diversity of functions when working on a threat model.

Akira Brand: The way that we ultimately solved for this problem, I don't think I would have come up by myself. I would not have dreamed this up if I had just been alone trying to solve this issue. I would have solved it in a totally different way.

But because we had engineering and data and security on the issue we came up with a really creative solid solution that I mean the data team was bringing things to our attention that you're right I would have never thought of not just because I was new but because I'm a security practitioner I'm not a data person.

So why would I think of these different viewpoints? I don't have that mindset necessarily.

Chris Romeo: How does somebody measure success if they're new to threat modeling? Akira has an answer.

Akira Brand: I knew it was successful when I had three teams working on the threat model together to solve the problem. I think sometimes what can happen in security is we feel like we're working in a bubble.

I knew that this threat model was successful when everybody was using it, when they were using it to make decisions. That mattered to me. And that's when I was like, okay, the work that I'm doing here is having an impact.

Chris Romeo: Impact is everything. It's the most rewarding part of threat modeling as a security person. Knowing that your efforts result in people making better security decisions for the product. 

Akira's story is an inspiration to others who want to start with threat modeling. She didn't begin with giant amounts of institutional knowledge about threat modeling or reading all the latest books. She learned how to threat model by threat modeling. And I wouldn't recommend that you learn any other way. 

Roll up your sleeves and go threat model something.

People on this episode

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

The Application Security Podcast Artwork

The Application Security Podcast

Chris Romeo and Robert Hurlbut
The Security Table Artwork

The Security Table

Izar Tarandach, Matt Coles, and Chris Romeo