Threat Modeling In Its Right Place

Brook Schoenfield

Resilient Software Security, LLC & True Positives, LLC

November 17, 2022

Threat modeling is anticipatory.

Sure, it's widely known that threat modeling is important for security. And, we now understand that models can also be used to improve privacy. But where, amongst the many different security tasks described in a comprehensive security development lifecycle (SDL or S-SDLC) does threat modeling fit?

I have argued for quite some time that in fact, threat modeling is foundational for planning, for structuring digital systems, that process that we call, “architecture”. Through a threat model, we build a “security architecture”, the structure and relationships amongst the defenses we construct.

Unfortunately, the threat model’s future-looking aspect is too often missed. The model may be constructed merely to identify existing weaknesses, which misses one of threat modelling's most important contributions. At today’s state of the art, it is the only technique we can wield to prepare for what has some likelihood of occurring, as @adamshostack incisively articulates:

What can go wrong?

Or, as the Threat Modeling Manifesto states:

Threat modeling is analyzing representations of a system to highlight concerns about security and privacy characteristics.

It turns out that the concept of threat modeling is quite intuitive; most people threat model those aspects of their lives where they perceive levels of risk that they find unacceptable. Though, of course, people may not realize that they have built a threat model implicitly.

For a non-technical example, consider taking a laptop to RSA’s San Francisco conference.

Many attendees rent/hire cars. Because it’s less expensive, some hired cars are parked in San Francisco's 4th Street garage (rather than parking at the more expensive car park at Moscone Center). Before dinner, folks “secure” their devices in the trunk/boot of their rentals so that they aren’t burdened while moving from event to event through the evening.

Unfortunately, thieves know that during RSA, nearly every rented vehicle in that garage will have expensive devices in its boot. At dinner time, they walk the garage levels with crowbars that they use to open each obvious rental car, plundering the goodies. Good way to lose one’s laptop.

“What can go wrong?” is the theft of devices. My answer to Adam’s “What are we going to do about it?”, is to carry my devices with me wherever I go during the conference. Annoying, but so far, effective.

In a similar manner, even the most robust static analysis will miss some issues.

The answer to “What are we going to do about it” might be to apply other, complimentary testing methods like automated exploitation tests and fuzzing.

Threat modelling’s place is to identify issues that have likelihood of appearing at some point during the useful life of a system and which may result in unacceptable impacts. Based upon the threats identified, the model then produces an appropriate set of defenses and mitigations.

We have no other techniques that are forward-looking. Though a comprehensive threat model must not ignore existing issues, it must not be confined to these, either.

The power of the analysis is its ability to catalog those threats that may be used against both existing architectures and technologies and those still under consideration. A threat model provides security future-proofing, a measure of planned survivability, one of a threat model’s greatest gifts.

Threat modeling is anticipatory.