Shostack + Friends Blog


Threat Model In My Devops

A recent talk by Alyssa Miller focuses on integrating threat modeling in devops.

This talk by Alyssa Miller is fascinating and thought provoking.

She frames a focus on integrating threat modeling into devops. The question of 'what are we working on' is answered with use cases, and threat modeling for that sprint is scoped to the use cases. 'What can go wrong' is focused on a business analysis of what can go wrong with private data, critical functions, financial assets, people assets or secrets.

I like the business integration. I do have a couple of reactions: first, the approach to assets - assets in this story is a really nice hack that addresses many of the failure modes of starting from assets. Those problems include definitions (things attackers want/things you protect/stepping stones), generality, such as wanting to protect the company's reputation in a vaguely defined way, and the need to invest time in creating a list of assets and generating agreement around it.

Second, I wonder if getting rid of diagrams that show data flows a good tradeoff? (I'm intentionally not saying DFD.) It's clearly a good tradeoff if the alternative is 'do nothing.' It may be that this business-focused approach helps obviate the need for data flows, but I'm not sure.

Regardless, the talk is worth watching.