62

I asked a question on what I need to do to make my application secure, when somebody told me:

That depends on your threat model.

What is a threat model? How do I make a threat model for my application?

Vikki
  • 265
  • 1
  • 3
  • 10
  • 4
    Relevant and useful info when engaging in the process: https://security.stackexchange.com/questions/104137/threat-modeling – schroeder Jan 29 '20 at 13:15
  • 9
    I use it whenever someone asks "Is this safe/secure?". Well, secure from what? If you don't tell me what you are worried about, I can't tell you if that's enough. –  Jan 29 '20 at 15:18
  • @MechMK1 you put the question in context of software development. Are you looking for answers within that scope alone? – schroeder Jan 29 '20 at 15:24
  • @schroeder Not necessarily. I put it that way because this is where I see this situation the most. I'm very open to suggestions on how to make this question more general. –  Jan 29 '20 at 15:25
  • "application/system"? – schroeder Jan 29 '20 at 15:42
  • 3
    If you are looking for threat models to use, I have a [threat modeling methodology on my GitHub](https://github.com/executionByFork/LP_ThreatModeling) which is based off of standards like [STRIDE](https://en.wikipedia.org/wiki/STRIDE_(security)) and [VAST](https://en.wikipedia.org/wiki/Threat_model#VAST), and is tailored to be used in the agile cycle during software development. It has templates, instructions, and examples as well. If this doesn't suit your needs there are a handful of other methodologies out there which have been mentioned all over this page already and work just as well. – ExecutionByFork Jan 29 '20 at 22:10
  • @schroeder I wrote it as a comment because I did not think it would be adequate as an answer. I only gives an example of a threat model and references two others. It does not explain what a threat model is and, although I have plenty of documentation in the repo, it doesn't describe how to make a threat model either. I felt the other answers were already covering this, so I just threw it in as a reference for people to use – ExecutionByFork Jan 30 '20 at 00:00
  • @ExecutionByFork ah, I thought that because you said that you had a methodology that you could provide a perspective on how to make a threat model – schroeder Jan 30 '20 at 07:38

4 Answers4

50

FilipedosSantos' answer does a great job of explaining a formal threat modelling exercise under, for example, the Microsoft STRIDE methodology.

Another great resource is the threat modeling course outline on executionByFork's github.


When I use the term "threat model" on this site, I usually mean something less formal. I generally use it as a response to new users asking "Is this secure?" as if "secure" is a yes/no property. It's usually part of a paragraph like this:

That depends on your threat model. "Secure" isn't a thing; secure against what? Your kid sister snooping on your iPhone? A foreign government soldering chips onto your datacentre equipment? Or something in between?

I really like the Electronic Frontier Foundation's threat modelling framework, which focuses on asking these three questions:

  1. What are you protecting?
  2. Who are you protecting it from?
  3. How many resources can you invest in protecting it?

I really like the way the EFF has written this because these simple and easy to answer questions can guide someone with zero background in security into figuring out "the right amount of security" for them.

yoozer8
  • 810
  • 2
  • 7
  • 17
Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • Excellent points regarding the differences of formal and more informal threat modelling approaches. However a "formal" framework can also be used for simple scenarios and applications. – Filipe dos Santos Jan 29 '20 at 15:40
  • In order to learn the framework used by my employer, in a workshop they let us use a scenario where we should physically secure a building. Since most concepts are the same, the framework can be easily applied in a "simpler", and even non-technical scenario. – Filipe dos Santos Jan 29 '20 at 15:42
  • 6
    @FilipedosSantos I agree that once you are comfortable with a framework, you can apply it to simpler situations; however if someone is asking what 2FA method they should use on their gmail account, then IMO teaching them the STRIDE model is overkill, instead I prefer to gently nudge them with the EFF questions. – Mike Ounsworth Jan 29 '20 at 15:43
  • 2
    Tangent, but: Should it be, "How many resources" or "how much resources"? They both sound wrong to me... – Conor Mancone Jan 29 '20 at 17:22
  • 2
    My classic example is to ask if they are building "an anonymous cutest-cat-picture-voting site" or "a web portal for launching a preemptive nuclear strike". Obviously the security concerns in these two cases are wildly different (and why in the world are you create a web portal for launching nuclear missles!!!!) – Conor Mancone Jan 29 '20 at 17:25
  • 2
    @ConorMancone lol. If you're asking basic questions on StackExchange then maybe you're not qualified to build that web portal for launching nuclear missiles .... – Mike Ounsworth Jan 29 '20 at 18:56
  • 9
    @MikeOunsworth :) Indeed. Although I've actually seen: "I'm building a payment portal for a fintech startup. How do I secure the payment portal, I'm new to this?". My answer: "hire someone else to do it." – Conor Mancone Jan 29 '20 at 19:05
  • 1
    @ConorMancone Uhh, yeah, the correct answer is "Get out of the fintech industry" – Mike Ounsworth Jan 29 '20 at 19:21
  • 5
    @ConorMancone I'd say "What resources"? Asking how many or how much sounds wrong to me because it's like asking how many tools you need to build a car. The number or amount is not really interesting. – JiK Jan 30 '20 at 10:33
  • 1
    An analogy: "Is this lock secure?" - "It depends. Against who? People without tools just passing by? Sure. People with a crowbar? Not so much." – T. Sar Jan 30 '20 at 13:31
22

A great definition can be found in this excerpt from the OWASP page about Threat Modelling:

A threat model is essentially a structured representation of all the information that affects the security of an application. In essence, it is a view of the application and its environment through security glasses.

How you make the Threat Model will depend solely on the Threat Modelling methodology applied. One of the most common methodologies used in the industry is Microsoft's, that is based on the STRIDE model of threats.

Usually a Threat Modelling workshop/session is a round table with all developers, product owner, security experts and a moderator (it can be done alone if you are not working on a team). The ones involved will execute the steps proposed by their methodology in order, and the result will be the Thread Model document/artifact.

One of the Microsoft Threat Modelling methodologies defines 5 major steps:

  • Defining security requirements.
  • Creating an application diagram.
  • Identifying threats.
  • Mitigating threats.
  • Validating that threats have been mitigated.

The company that I work for uses a similar methodology and it's required for all products that are under development. One difference that I find quite interesting it that we can either make a Threat Model for the entire product, or we can make Threat Models for each product use case.

In the end a Threat Model is the result of many Threat Modelling sessions, where the development team, PO and security experts will brainstorm to find possible vulnerabilities, and then use the defined methodology create the Threat Model document.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12
Filipe dos Santos
  • 1,090
  • 4
  • 15
8

A threat model answers the question - what are the reasonably expected threats for the concrete software (or "system"). Emphasis on concrete (== not academic/theoretic) and reasonably (== not overbearing, also known as paranoid)

A paranoid threat model can (quite literally) paralyze everything (not limited to software). An academic/theoretic threat model can increase the cost of defense/mitigation to infinity.

A threat model is about the life and death of what you want to protect and what you have to handle vs. what your customer or "larger system" is expected to handle. Who do you trust or not and why? That "why" part is very important and the answer can't be "because". You are defining the boundary of responsibility.

Defense and mitigation plans are not part of the threat model. Mitigation is if something is not reasonably defensible or perceived threat is by and large nonsense or a fad (have been a few in the past few years - makes good headlines - latest by NSA))

Examples:

#1 Say you are writing a server for a military contractor to do FEM analysis for engines (or whole devices/vehicles). What is a reasonably expected threat? Denial of service and confidentiality. What is not? Spoofing, tampering, repudiation, elevation of privilege.

Why?

Authentication and authorization and (much stronger) crypto are handled by systems external to your software (you reasonably expect that to be handled by client's "environment" and normally it is). Breaking "integrity" is pointless (submitting broken mesh to analysis), repudiation you don't care about (someone submitted a "broken mesh" or a "mesh that's not really 'their engine'" and then denying it - between irrelevant and none of your business).

Denial of service can really hurt you (server not doing the work == no money) and is plausible (from proverbial; "Russians" to the competition from across the street to "general net attack from China" - has happened, will happen. damage is real). Confidentiality - you can't trust the cloud - not even .gov Azure, even if you are US company (someone will sell your wireframes to Lockheed), not to mention if your client is Chinese or Russian or German or Brit ... - you've got the picture

#2 Say you are writing/porting an accounting or banking software to "as service". What is a reasonably expected threat? Spoofing, tampering, repudiation. What's not? Denial of service. What's maybe? Elevation of privilege (depends on the nature of your software). What's complicated? Confidentiality.

Why? You have to go to the cloud (which will handle DoS) and confidentiality is the legal category for that line of business, protected (or not) by the legal system (defending against a "mole" that's going to blow a whistle on his girlfriend's CEO is none of your business). Your responsibility gets complicated because you are answering to contradicting demands. You need a lawyer.

On the other hand, non-repudiation is more or less the bread and butter of your business and happens frequently. You might be contractually or even legally required to enable excessive auditing. Tampering is related (someone proves that tampering is possible - non-repudiation is dead) and very lethal and attractive for an attacker (money. money, money). One can do tampering without breaking (usual) crypto - your "tampering" has many legs - now what?

Spoofing is not "authentication" - it's a 3rd party being able to record interaction/transaction (moving money, sales records, everything) without anyone noticing." 2nd part of spoofing is actually tampering (ability to change data "on the fly" without anyone noticing). The actual "man in the middle" attack. The "without anyone noticing" is the defining aspect. One doesn't have to break authentication at all and it's better if he doesn't - the ultimate "not noticing").

Elevation of privilege may or may not be your problem, depending on what's your system providing as a service "over the wire" vs private/secured channels (which are always someone else's problem), who's your client and do you want/have to integrate into a larger system or write your own. You may have to do both but the important aspect is to know what and why.

See how things can get very different quite easily? When someone asks you "do you have a threat model" he's asking "do you know what you have to defend in your, very particular, case".

schroeder
  • 123,438
  • 55
  • 284
  • 319
ZXX
  • 189
  • 1
  • #1 - you don't care about auth&auth because the environment takes care of it but do care about DoS because the environment doesn't take care of it? – peterph Feb 02 '20 at 20:23
3

Threat modeling is the use of models to consider security. That can be really simple, such as "we consider the random oracle threat model," or it can be a more structured and systematic analytic approach, such as using data flow diagrams to model an application and STRIDE to find threats against it.

I advocate for a four-question framework as central to threat modeling:

  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good job?

There are lots of ways to answer each of these - we can model a web app as a state machine. We can use kill chains to address what can go wrong. We can consider eliminate/mitigate/transfer/accept as strategies for dealing with it, and within mitigate, there are lots of prioritization approaches and tactics, such as re-factoring parsing code or adding TLS.

This framework works because it starts from something which is understood and accessible to engineers - the thing they're working on. It also works because there's explicit time for a retrospective, giving a time to make adjustments and help you learn.

It also works because it encompasses and frames a lot of the other work - rather than saying "we use STRIDE to threat model," we can say "we use STRIDE to help us figure out what can go wrong" and that moves us from a discussing what threat modeling is to discussing different ways to do it.

This is a software-centric approach, and there are also asset-centric and attacker-centric approaches. Asset-centric approaches tend to fail because asset inventory is difficult and time consuming; a list often includes things which are difuse, like reputation. Asset-centric approaches also stumble when a software project team takes them on because most of the assets are far outside the scope of the project, or identifying assets in the unique control of the project is difficult. Attacker-persona approaches tend to fail because it's impossible to interview most of your attackers, and 'interview the participants' is a key step in making a persona. They also are problematic making lists of attackers means you're path dependent. If you fail to include kids, or trolls, or nation states, you miss important threats.

Adam Shostack
  • 2,659
  • 1
  • 10
  • 12