Shostack + Friends Blog

 

Threat Model Thursday: Architectural Review and Threat Modeling

[no description provided] warehouse with many micro houses in various stages of completion

For Threat Model Thursday, I want to use current events here in Seattle as a prism through which we can look at technology architecture review. If you want to take this as an excuse to civilly discuss the political side of this, please feel free.

Seattle has a housing and homelessness crisis. The cost of a house has risen nearly 25% above the 2007 market peak, and has roughly doubled in the 6 years since April 2012. Fundamentally, demand has outstripped supply and continues to do so. As a city, we need more supply, and that means evaluating the value of things that constrain supply. This commentary from the local Libertarian party lists some of them.

The rules on what permits are needed to build a residence, what housing is acceptable, or how many unrelated people can live together (no more than eight [link to https://www.seattle.gov/dpd/cs/groups/pan/@pan/documents/web_informational/dpdd016420.pdf no longer works] ) are expressions of values and priorities. We prefer that the developers of housing not build housing rather than build housing that doesn't comply with the city's Office of Planning and Community Development 32 pages of neighborhood design guidelines. We prefer to bring developers back after a building is built if the siding is not the agreed color. This is a choice that expresses the values of the city. And because I'm not a housing policy expert, I can miss some of the nuances and see the effect of the policies overall.

Let's transition from the housing crisis here in Seattle to the architecture crisis that we face in technology.

No, actually, I'm not quite there. The city killed micro-apartments, only to replace them with ... artisanal micro-houses. Note the variation in size and shape of the two houses in the foreground. Now, I know very little about construction, but I'm reasonably confident that if you read the previous piece on micro-housing, many of the concerns regulators were trying to address apply to "True Hope Village," construction pictured above. I want you, dear reader, to read the questions about how we deliver housing in Seattle, and treat them as a mirror into how your organization delivers software. Really, please, go read "How Seattle Killed Micro-Housing" and the "Neighborhood Design Guidelines" carefully. Not because you plan to build a house, but as a mirror of your own security design guidelines.

They may be no prettier.

In some companies, security is valued, but has no authority to force decisions. In others, there are mandatory policies and review boards. We in security have fought for these mandatory policies because without them, products ignored security. And similarly, we have housing rules because of unsafe, unsanitary or overcrowded housing. To reduce the blight of slums.

Security has design review boards which want to talk about the color of the siding a developer installed on the now live product. We have design regulation which kills apodments and tenement housing, and then glorifies tiny houses. From a distance, these rules make no sense. I didn't find it sensible, myself. I remember a meeting with the Microsoft Crypto board. I went in with some very specific questions regarding parameters and algorithms. Should we use this hash algorithm or that one? The meeting took not five whole minutes to go off the rails with suggestions about non-cryptographic architecture. I remember shipping the SDL Threat Modeling Tool, going through the roughly five policy tracking tools we had at the time, discovering at the very last minute that we had extra rules that were not documented in the documents that I found at the start. It drives a product manager nuts!

Worse, rules expand. From the executive suite, if a group isn't growing, maybe it can shrink? From a security perspective, the rapidly changing threat landscape justifies new rules. So there's motivation to ship new guidelines that, in passing, spend a page explaining all the changes that are taking place. And then I see "Incorporate or acknowledge the best features of existing early to mid-century buildings in new development." What does that mean? What are the best features of those buildings? How do I acknowledge them? I just want to ship my peer to peer blockchain features! And nothing in the design review guidelines is clearly objectionable. But taken as a whole, they create a complex and unpredictable, and thus expensive path to delivery.

We express values explicitly and implicitly. In Seattle, implicit expression of values has hobbled the market's ability to address a basic human need. One of the reasons that embedding is effective is that the embedded gatekeepers can advise, interpret in relation to real questions. Embedding expresses the value of collaboration, of dialogue over review. Does your security team express that security is more important than product delivery? Perhaps it is. When Microsoft stood down product shipping for security pushes, it was an explicit statement. Making your values explicit and debating prioritization is important.

What side effects do your security rules have? What rule is most expensive to comply with? What initiatives have you killed, accidentally or intentionally?