The killer application of threat modeling is promoting security understanding across the whole team. It’s the first step toward making security everyone’s responsibility. Conceptually, threat modeling is a simple process. So consider these five basic best practices when creating or updating a threat model:
1. Define the scope and depth of analysis. Determine the scope with stakeholders, then break down the depth of analysis for individual development teams so they can threat model the software.
2. Gain a visual understanding of what you’re threat modeling. Create a diagram of the major system components (e.g., application server, data warehouse, thick client, database) and the interactions among those components.
3. Model the attack possibilities. Identify software assets, security controls, and threat agents and diagram their locations to create a security model of the system (see Figure 1). Once you’ve have modeled the system, you can identify what could go wrong (i.e., the threats) using methods like STRIDE.
4. Identify threats. To produce a list of potential attacks, ask questions such as the following:
Are there paths where a threat agent can reach an asset without going through a control?
Could a threat agent defeat this security control?
What must a threat agent do to defeat this control?
5. Create a traceability matrix of missing or weak security controls. Consider the threat agents and follow their control paths. If you reach the software asset without going through a security control, that’s a potential attack. If you go through a control, consider whether it would halt a threat agent or whether the agent would have methods to bypass it.