Answering 'What Are We Working On' When Remote
How do we replace the in-person whiteboard sessions essential to Threat Modeling when we are distanced and working remotely?
Practicing physical distancing has already dramatically changed how we work, and will continue to do so. Being physically distant means we can't use a whiteboard to help us talk through "what are we working on?"
There are technical facets of threat modeling, like using visual models to show and scope "what are we working on?" These can be done on a whiteboard, in Visio or Draw.io, or in specialized threat modeling tooling.
Threat modeling also has an interpersonal aspect. Being at a whiteboard shapes those interactions. Being at a whiteboard frames a dialog: we're working together, sharing knowledge or developing shared knowledge of a system. (More on dialog in Talking, Dialogue and Review, and on whiteboarding Diagrams in Threat Modeling.)
We need to replace that tool with something else. Some points to consider:
- Do you want a threat modeling tool or a drawing tool?
- Is the tool for developing a shared understanding, or recording that understanding? (Which matters: the journey or the destination?)
- Usability & fluidity (single user)
- Usability (team)
- Integrations (into all sorts of things including source control, task management, and communication tooling like video conferencing and chat.
- Accessibility
Last week, I decided to do an experiment with online drawing tools, and I'm blown away by Miro. For me, it has a great mix of fluidity and ease of tweaking like making boxes the same size, aligning them. Going from a whiteboard diagram to a Visio diagram will usually take me 2-3x as long as the drawing work for the whiteboard. Using Miro, I realized how much of that is awkwardness UI design. The default Miro stencil search doesn't return a data flow diagram, but there's one at https://miro.com/templates/data-flow-diagram/. The picture above took me just under 4 minutes once I was logged in and had the stencil.
Awwapp [link to https://awwapp.com/ no longer works] has a very nice jump in and go approach, but within a few minutes, I wanted the tools I'd just discovered in Miro. I was unable to find a way to dot lines for trust boundaries.
Google Jamboard on an ipad is very whiteboard like, including the bad shapes. The erasure animation is something between cute and twee. The assistive drawing tools seemed overly sensitive, and I had a hard time with text. I'm told that there's a version in hangouts, but didn't explore.
Whatever tool you want to use, recognize that there's a learning curve of some form. My experiment above contains all sorts of biases - maybe if I'd used Awwapp before Miro, Miro would have felt constraining and not whiteboard-like? There's a social aspect. Maybe Miro does a bad job at collaboration? Maybe it has worse accessibility features in ways that matter to a teammate?
(PS: We had a discussion about this on The Appsec Podcast [link to https://podcast.securityjourney.com/application-security-podcast/episodes/ no longer works].)