Shostack + Friends Blog

 

Assets, Again

What's wrong with this process? A random dataflow diagram sort of thing

Appsec leaders come to me all the time, looking for feedback on their threat modeling approach. A recent request exemplified a couple of the problems that we see over and over:

The system model provides a framework for identifying and analyzing potential threats by thoroughly describing the assets, attributes, and their interactions within the information system. These assets include infrastructure, software, protocols, and data storage, among others. [...] Identify and classify the organization's assets, including network devices, servers, endpoints, and applications. Explore the key functions of each asset and understand their roles in the organization's business processes.

In Threat Modeling, I talk about there being three types of assets: things you want to protect, things attackers care about, and stepping stones. I talk — at length — about why the term asset doesn’t help us threat model. This approach magnifies those problems, and adds more.

  • Why are “protocols” assets?
  • What sort of “classification” is involved, and what goal does it serve?
  • Why is “infrastructure” an “assets?” Can’t we have the ops team threat model it and assume that it works, especially when we’re talking about the business processes?
  • In the second list, can’t you just say “computers and applications?” What does jargoning it up as “assets” do for you?
  • Why do you need to understand the functions or the business process at this stage? (Not saying you don’t, I’m saying that you need to justify it.)

What’s more, what’s the value of ‘thoroughness?’ How thorough do we need to be?

These problems are addressed by starting with the question “what are we working on?” If you’re not working on infrastructure... you don’t need to ask questions about it. That’s someone else’s job and threat model. If you’re not working on the whole organization, you don’t need to identify all its assets and go develop and understanding of them...

By the way folks, I can’t do these for the whole world as a hobby project. When we do it for a customer, the request and response are private, and when they're not, sometimes they end up in the blog. If you’d like my team to do a review, please get in touch using the contact us form. Be warned: our rabid sales team will never stop calling (unless you ask them to).

Originally published by Adam on 10 Apr 2025
Categories:   threat modeling   threat model thursday