“Includes No Dirt” is a threat modeling approach by William Dogherty and Patrick Curry of Omada Health, and I’ve been meaning to write about it since it came out. I like that it starts from context — the why this matters: Their goal is to have a single approach to security, privacy, and compliance. Reducing re-work is tremendously important to integrating into a development process and “shifting left.” The paper is available for download without registration, and is self-contained.
First, let me say that I think this is really nice work. Clean, if you will, and clearly grounded in having reviewed prior work without feeling a need to include it all. The white paper contains 4 main parts:
- The NO DIRT model for learning what can go wrong
- Putting NO DIRT into action
- Sample assessment questionnaires and brainstorming worksheets
The section “putting NO DIRT into action” is particularly interesting as a list of “when”, “who” and “how,” to show how the same technical work can serve five different organizational goals. I also like that one of the “whens” is vendor risk management. No one involved likes the practice of sending long spreadsheets full of questions like “do you have a clean desk policy” back and forth. (Which is why there’s 3 million job openings: people prefer to take a job as a TSA screener.) More seriously, an approach that focuses on exchanging threat models is a welcome and important development, and that approach can be seen as a new and useful building block.
The scoring system is interesting, and I am somewhat surprised to see the direct translation from a score to a high/medium/low, but I suspect that that relates to the oversight mechanisms in place.
I like that the questionnaire and brainstorming worksheets are clearly separate from the core model, both by the word sample, and by their inclusion as appendices. It took me a bit to understand that appendix A is samples (showing the work) and B is samples (for use).
My understanding is that the authors would be happy to see it adopted and adapted, and my very small critique is that I’d like to see explicit permission to build on the questionnaire, under a creative commons or similar license.