Threat modeling

What is threat modeling?

Threat modeling (TM) is an activity most of us incorporate in our daily life. For instance, a commuter might wonder what his action would be if his train is delayed, which leads to him missing his flight. TM is a process that helps us identify potential threats. Obviously, it also allows us to analyze the imposed risks and introduce mitigation strategies. At its core threat modeling answers four key questions:

  • Where am I most vulnerable to attack?
  • What are the most relevant threats?
  • What should I do to safeguard against these threats?

TM prioritizes a journey of understanding security over a fixed snapshot (such as pen testing).

Why threat modeling?

100% security doesn’t exist. Security is difficult if not impossible to objectively quantify as opposed to e.g., code coverage in testing. Hence, it is challenging to answer the question how much investment in security is enough or necessary. TM provides a list of the most essential concerns. It can also provide an approximated cost for fixing them.

How does it work?

TM is a team exercise, including architects, engineers, security champions and testers. We organize a first TM workshop for all the stakeholders at your organization. After the initial training we organize a number of time-boxed TM sessions. Together we will create a model of your system. Based on this model we will start eliciting threats, assess their risk level and look into possible mitigation strategies.

What do you get?

The result of the threat modeling is a helicopter view of the security state-of-the-practice in the context of your software system. Threat modeling provides amongst others a list of threats, their likelihood, impact, risk, and mitigation strategy.

As opposed to pen testing that provides a largely loose snapshot of your security posture, threat modeling is a first step in helping your organization introduce a culture of finding and fixing threats in a more autonomous manner. TM is also focused on uncovering design-level errors as opposed to a list of security bugs presented by the pen-testers.