Shostack + Friends Blog Archive

 

Threat modeling the Dread Pirate Roberts way

It has to be said that no one in the Princess Bride is great at threat modeling. But one scene in particular stands out. It’s while they’re planning to attack the castle and rescue Buttercup:

if only we had a wheelbarrow

Westley: I mean, if we only had a wheelbarrow, that would be something.
Inigo: Where we did we put that wheelbarrow the albino had?
Fezzik: Over the albino, I think.
Westley: Well, why didn’t you list that among our assets in the first place?

The trouble here is that Inigo and Fezzik don’t see a wheelbarrow as an asset worth listing. They know about it, but don’t bring it up. This is a predictable and even desirable state. When you model, you discard details that seem irrelevant. If you list absolutely everything, you end up sounding like the rain man, not an engineer.

Knowing what’s important enough to list is challenging. There’s no prescriptive guidance to what assets are worth including. (Because it’s challenging to know what’s a good list, there’s also no clear exit criteria or “gate.”)

Security experts love to complain that others have left things out. If you want to complain, you need to start with a clear definition of what’s an asset, what assets are important enough to list (A $10 wheelbarrow?), and what constitutes a good list. That’s simply easier with the technology that you’re threat modeling, rather worrying about assets.