Good security begins with effective threat modeling

At the beginning of February I flew out to Seattle and spent some time on the Microsoft campus talking with various leaders of Microsoft Trustworthy Computing. I was there primarily to talk about the origins and evolution of the SDL (Security Development Lifecycle), and we tried very hard to keep the conversation focused at a general business level and not go off into the “techie” weeds, but one term kept coming up over, and over, and over again: Threat Modeling.

Threat modeling is a mantra for Microsoft Trustworthy Computing. I met with six different individuals that day, and in almost every conversation the term “threat modeling” came up at some point. It is part of the Microsoft Trustworthy Computing DNA.

Michael Howard—a Principal Consultant for Cybersecurity with Microsoft, and co-author of the book Writing Secure Code, which was used as a sort of blueprint for the SDL—told me flat out, “Threat modeling is something that we literally ram down people’s throats.”

“The thing is that most people don’t even know the fundamentals. That is really the core issue I think we have,” explained Howard. “There are fundamentals that span deployment scenarios; that span operating systems and development languages. We’re still not teaching kids in school those fundamentals.”

As far as Michael Howard and Microsoft are concerned, one of the most important fundamentals of developing secure code is threat modeling.

Howard relayed a story of interviewing a student from an engineering school at a prestigious university. She was working on a thesis related to some sort of mobile, collaborative technology, and Howard asked her some basic questions. He asked her what are the security threats the technology must deal with, what are the privacy issues it faces, and what are the concerns related to reliability. Her answer across the board was that she had not considered those elements, and did not care about those issues.

Howard stressed, “It’s a travesty because we’re building things that are massively interconnected. You can’t ignore this stuff.”

When I was a security consultant at EDS, one of the roles I played was to engage with development teams early in the design stage to try and identify security concerns. The idea was similar to what Microsoft accomplishes with threat modeling, but the problem was that we were still constrained by the limits of our own imaginations. We could only conceive of and identify those threats that occurred to us.

Howard told me that is not the case with Microsoft’s approach to threat modeling. “You don’t need to be a security expert to do this. You know how we’re always telling everyone to ‘think like an attacker?’ That’s probably the worst advice you can give anybody, because unless you are one, you can’t think like one.”

The message I got from talking with the people at Microsoft Trustworthy Computing is that in order to build a secure system, you have to first understand the threats to that system, and the most effective way to accomplish that goal is through threat modeling.

Howard summed it up nicely. “I don’t think anyone should strive for perfection. What you want to do is strive for the things that you can actually get done that raise the bar so the risk is reduced.”

Microsoft has created a card game to teach the core concepts of threat modeling. The Elevation of Privilege (EoP) card game is a very popular giveaway at conferences, or when Microsoft visits school campuses. It gamifies the Microsoft STRIDE threat model to educate players on the fundamentals of spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege.

Microsoft also offers a free Threat Modeling Tool to help people analyze the security of their systems and identify design issues. The tool enables you to define the attack surface for an application and find the weaknesses so they can be addressed during product design, and reduce the potential for exploitation.