Threat Modelling Resources

[depatchedmode]

Threat modelling was raised today as an underserved part of the software development life cycle. Most teams lack a security expert who would advocate for this, regardless of their size. Small teams are particularly affected by this.

Barriers may be:

• Lack of awareness of the importance and value threat modelling
• Uncertainty about how to get started
• Concerns about impact on timeline and budget
• Effectiveness of it as a practice

Let's collect helpful, lightweight, resources on how teams can begin more regularly incorporating threat modelling into their daily practice.

[agostbiro]

Thanks for bringing this up on the last call! It's a topic close to my heart.

Why

My quick pitch for threat modeling is this: Threat modeling is a conscious approach to preventing things going wrong. Without such a conscious approach things that could be prevented will go wrong.

What

I like Adam Shostack's four question framework to get started:

What are we working on?
What can go wrong?
What are we going to do about it?
Did we do a good job?

This is basically what threat modeling is about. The rest is tools and methodologies that can facilitate answering these four questions and making sure that the answers are up-to-date.

Resources

When it comes to resources, I found the following books helpful to get started with threat modelling:

• Threat Modeling by Izar Tarandach, Matthew J. Coles
• Threat Modeling: Designing for Security by Adam Shostack

And the following resources are a good catalogue of things that can go wrong:

• Security Engineering by Ross Anderson
• OWASP Top 10 Web App Vulnerabilities
• OWASP Mobile Application Security Checklist
• Privacy Considerations for Internet Protocols
• Timing Attacks

The biggest challenge in getting into threat modeling for me was the myriad of different acronyms all of which denote slightly different approaches towards the same goal. My advice is to just focus on the four questions and find the tools that help you answer them.

Blockchain Client Attack Tree

When I was designing a blockchain client, I found building an attack tree the most helpful exercise in answering the four questions. I started by collecting things that can go wrong and then wrote a generic definition of what can go wrong:

Blockchain client security is the problem of preventing fraudulent transactions with users' keys. A fraudulent transaction is a blockchain transaction carried out or instigated by a third party that the user did not intend to carry out or intended to carry out with different parameters. Fraudulent transactions can occur through technical means or deception or through a combination of these.

And then broke this definition down to smaller pieces:

To illustrate that it's not worth getting hung up on terminology, I basically made up the term "approval spoofing", because the problem I was trying to solve didn't fit into any of the commonly used acronyms (e.g. STRIDE):

Approval spoofing: the user authorizes a transaction with different parameters than they intended to or the user performs an action which leads to authorizing a transaction without being aware of authorizing a transaction. Approval spoofing may happen through deception attacks or through a compromised dapp.

The entire attack tree can be found here.

[depatchedmode]

This is super helpful. Thanks @agostbiro! And thanks for also sharing this example of a blockchain attack tree.