Shostack + Friends Blog Archive

 

There's more than one way to threat model

Today, most presentations on threat modeling talk about each phase of the process. They talk about how to model what you’re building, what can go wrong, and what to do about it. Those tightly coupled processes can be great if you’ve never heard of an approach to threat modeling. But they can add to the challenge for those trying to execute the process. What knowledge and skills can they re-use, and what do they need to replace?

Two of the big ideas in Threat Modeling: Designing for Security are that there’s more than one way to threat model, and that we can and should compose them. We can move beyond every talk covering how to model, how to find problems, and how to fix them. And when we do that, we improve our ability to agilely engage with new approaches, because the cost of experimentation falls.

One such new approach is DIAL: Discovery, Incorrectness, Authorization/Authentication, Limits/Latency. It’s a set of ‘threats’ to reliability, being explored by my colleagues in Microsoft Trustworthy Computing’s Reliability team. DIAL is an interesting complement to security threat modeling, because it starts with a D which (of course) stands for Denial of Service in STRIDE. And that’s sort of neat.

Anyway, the blog posts are worth checking out:

  1. Reliability vs. resilience
  2. Categorizing reliability threats to your service
  3. Reliability-enhancing techniques (Part 1)
  4. Reliability-enhancing techniques (Part 2)

[Update: inserted “D” in the “starts with a ..” sentence. Thanks Mike for pointing out the error!]