The Essence and Beauty of Threat Modeling
But what about the essence and beauty?
Recently, friends at IriusRisk told me about someone who was really focused on the “beauty and essence of threat modeling” when done by smart people at a whiteboard. That person was skeptical about automation, because it threatens that beauty. And the first thing I want to say is: my friend, I feel you. When a threat modeling session really comes together, there’s a magic to the chance to connect, teach, learn, and influence.
But the second thing I want to say is that the word “when” is doing a lot of work there. I’ve been screamed at about wasting people’s time. I’ve had leaders demand that we automate it all. I’ve seen empty threat model files, and I’ve seen malicious compliance. I’ve seen threat modeling described as “a checkbox.”
Frankly, most threats just aren’t that interesting. If we know what to look for, and have tools to help us remember to look, we find them. (The word “if” is also doing a lot of work.) Mnemonics like STRIDE can help those who are not security experts find many of these things. In the “Fast, Cheap, Good” white paper, I comment that if bugs were hard to find, bug bounties wouldn’t work as well.
For most of our customers here at Shostack + Associates, the biggest engineering constraint is time, and there’s two way it gets spent. The first is that everyone is busy, and the time spent coordinating meetings and educating security on the newest feature aren’t productive. The second is that teams aren’t waiting on a threat model before writing code. And so if they write the code, then threat model it, and find there are design flaws, they have to decide what to do. (This is the worst when that code has dependencies which also need to change. The time required grows very quickly.)
When looking at art, a painting one person finds beautiful, another finds baroque. What one person finds colorful, another finds overwhelming. Scaling threat modeling frequently requires compromise and design tradeoffs. In that, it’s just like other engineering techniques.
All up, thinking about the beauty and essence of threat modeling, I think we can get to it more often and more reliably with the thoughtful use of automation, getting the simple issues out of the way, that let security experts really expose the essence and beauty.