Our manager often asks us for a quick understanding of what the risks will be based on some idea that the department has been working on during the ideation phase (the business requirements are generally written but no implantation done).
These teams are asking for security risks and threats to see if the idea even worth going through or how much of security will a barrier when implementing the solution or idea.
How to create non-generic security requirements for an idea phase?
This sounds like a great application for threat modeling as part of the design process. If you’re unfamiliar, threat modeling is a technique involving the creation of threat landscapes, where a product/service/system is analyzed to find potential risks. Fundamentally, threat models are simply conceptual decompositions addressing potential threats, so they can really take any format. It’s common, though, to build visual diagrams of threat models to illustrate, particularly using a specific unified design scheme. Microsoft has a popular threat modeling tool for the visual task, and OWASP has a project for an OSS threat model diagramming tool as well. Good luck!
Let's threat model using the first two questions of the 4-question threat modeling framework (what are we working on, what can go wrong, what are we going to do about it?) and the threat/requirement/control triangle.
Start by asking what we're working on and what it might look like. You can do this with whiteboard designs. For example, if 'what we're working on' is a new IoT lightbulb which is controlled via the cloud, you can draw those components; if it's controlled by bluetooth, you can imagine what components are there.
From there, you can look at what can go wrong by brainstorming, using STRIDE, or a kill chain. You might list threats like spoofing users at the cloud site, spoofing devices talking to other people's accounts; tampering with the devices at an airbnb, etc.
With that, you can use the threat/requirement/control triangle to use your threats to list requirements. The triangle is:
The idea behind it is that you discover a threat, say, anyone can put text on the website. Is integrity a requirement? It's by design that we can edit some, but not all of the text here on SE, and would be a serious violation at whitehouse.gov.
(The diagram is from https://adam.shostack.org/blog/2017/05/threat-modeling-iot/ )
