Shostack + Friends Blog

 

Hoarding, Debt and Threat Modeling

The psychology of getting started threat modeling An ai image of a hoarder office

During a recent threat modeling course, one of our students, Aleksei*, made a striking comparison that resonated with a lot of us: starting security analysis is like tackling a hoarder’s house. That visceral image of looking at mountains of accumulated issues, feeling overwhelmed by where to begin, captures a challenge many engineering leaders face when they first attempt to systematically assess their system’s security.

Perhaps the reason it’s evocative is most of us have been in the situation of everywhere we look, there’s more problems. Where do you begin? And that feeling of being overwhelmed, of not knowing where to start... well, again, evocative.

This is a common situation. Without security analysis techniques, we’re unlikely to design good security. (We’re actually likely to design bad security if we only consider performance, usability and exclude security.) So when we start threat modeling, we quickly find reasons to regret previous decisions.

So how can we start threat modeling when there’s all this technical debt? Some thoughts:

  • Define clean. Maybe one person thinks a good dusting is enough; another that things need to be in containers (books on shelves, desk clutter in baskets, papers in files) and yet another thinks that without bleach, it’s a waste.
  • No new problems. We start threat modeling by asking “what are we working on?” And that means we can set aside the global problem and look to make sure that the code we’re building today doesn’t make things worse.
  • Clean a room. Pick a problem area, and go nuts on improving it. (This is similar to the strangler fig pattern.)
  • Do a security sprint. In the late 90s, Microsoft started having “security pushes” where all feature work was paused to improve security. The executive-visible success of these pushes was a crucial step in the issuance of the Trustworthy Computing memo. Getting all hands on deck to clean something shows its priority. This is a little different than cleaning a room: Everyone does cleaning on the areas they own.

However you want to handle the situation, acknowledging that it seem insurmountable can be important. We all have too many tasks, and those where you can’t imagine success, or where success seems not worth the price, are ones we want to skip. (This is why I included interpersonal factors in the Jenga whitepaper.)

The questions of “how do I get started” or “how do I take this from ‘me’ to ‘us’” are just one of the places where our team’s experience driving successful threat modeling initiatives distinguishes us.

Need help getting started? Our team has guided organizations from initial threat modeling through to mature security practices. Reach out if you want to talk about your specific challenges.

I’ve left Aleksei’s last name out for privacy. Image by Midjourney: “Today in one of our classes, a student compared starting to threat model to cleaning, home of a hoarder, boxes and books and stacks of paper to the cielings, hard to see evocative analogy, conversation. To one side, a 'murder board' is visible, with photographs, twine and other interconnections. On the other side is a whiteboard with a software architecture diagram”

Originally published by Adam on 30 Jan 2025
Categories:   threat modeling   usability