Open in app

Sign in

Write

Sign in

Security — Threat modelling

Melissa Fisher
2 min readSep 24, 2022

--

I’m sitting on the train at Manchester Piccadilly waiting for my train to depart and thought to start writing up a few thoughts about a workshop I attended on security threat modelling by the ever so inspiring Rich.

  • Data flow diagrams. This is the place to start with threat modelling. To draw out what your system looks like. I feel a data flow diagram may feel difficult to do on your own, so I would consider including your team members to draw it out. Also, to divide the sessions between drawing the data flow diagram and the threat modelling workshop.
  • STRIDE — Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service and Elevation of Privileges. I’ve been trying to digest the meaning behind this, in which helps me understand what each of these mean.
  • Spoofing you can think about being an Imposter — pretending to be someone you’re not.
  • Tampering is when you are interfering with something like data.
  • Repudiation involves basically someone doing something naughty and you can’t trace it back to them. So things like logging are important for this.
  • Information Disclosure is about data beyond who should have access to it.
  • Denial Of Service — This is about using resources needed to provide a service.
  • Elevation of privileges is about making sure users of your system have the minimum set of permissions to do what they need to do. So for example, an administrator not having super admin rights where they can change absolutely anything.

Games

There is a free online game you can play for threat modelling that you can find here threatagentsgame.com Games are a fun and informal way to introduce new topics to your team. I enjoyed the card game that Rich created. I really hope he mass produces the game as it was fantastic. There were cards with different threats and then agents to counteract the threat.

Everyone is a beginner once

What I found very inspiring was how Rich knew absolutely nothing about security, however, his desire to know more about the topic took him out of his comfort zone. He read and learnt about security, and started to experiment with his team.

How to bring threat modelling into your team?

I wrote a few thoughts here. The first one is GO FOR IT! It may be new and feel out of your comfort zone, but you don’t know until you try. You could try a talk to start, then with that hopefully you will have found your allies. Then you could move onto a practice session with your trusted allies before moving to a session with the full team

Final takeaway thought

The last takeaway I have is that it’s not a one off thing, a threat modelling workshop. You need to be continually doing it as you go. One thing that I haven’t quite got my head around is what triggers doing it after the first time. Do you have any thoughts about this?

Security Testing
Software Testing

--

--

Melissa Fisher
Melissa Fisher

Written by Melissa Fisher

471 Followers
96 Following

Thinking outside the box and disrupting people's thinking.

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams