Shostack + Friends Blog


Nature and Nurture in Threat Modeling

What comes easily should still be taught and elaborated upon. Sunset in African Savannah

Josh Corman opened a bit of a can of worms a day or two ago, asking on Twitter: "pls RT: who are the 3-5 best, most natural Threat Modeling minds? Esp for NonSecurity people. @adamshostack is a given." (Thanks!)

What I normally say to this is I don't think I'm naturally good at finding replay attacks in network protocols — my farming ancestors got no chance to exercise such talents, and so it's a skill I acquired. Similarly, whatever leads me to be able to spot such problems doesn't help me spot lions on the savannah or detect food that's slightly off.

If we're going to scale threat modeling, to be systematic and structured, we need to work from a body of knowledge that we can teach and test. We need structures like my four-question framework (what are we working on, what can go wrong, what do we do, did we do a good job), and we need structures like STRIDE and Kill Chains to help us be systematic in our approaches to discovering what can go wrong. Part of the reason the framework works is it allows us to have many ways to threat model, instead of “the one true way.”

But that's not a sufficient answer: from Rembrandt to Da Vinci, artists of great talent appear from nowhere. And they were identified and taught. The existence of schools, with curricula and codification of knowledge is important.

Even with brilliant artists (and I have no idea how to identify them consistently), we need more people to paint walls than we need people to paint murals. We need to scale the basic skills, and as we do so we'll learn how to identify the "naturals."

Photo: Max Pixel.