MSDN Magazine - July 2008 - (Page 117) AdAM ShoSTAck Security BriefS Reinvigorate Your Threat Modeling Process My colleague Ellen likes to say that everyone threat models all the time. We all threat model airport security. We all threat model our homes. We think about threats against our assets: our families, our jewelry, and our sentimental and irreplaceable photographs (well, those of us old enough to have photos that never existed in digital form do). We model threats based on architecture: there’s a wall here, a picture window there, and an easily climbed tree that we can use when we forget our keys. And we model threats based on attackers. We worry about burglars and kids falling into pools. We also worry about the weather, be it earthquakes, snow, or tornadoes. If I wanted to sound like a management consultant, I’d say you employ a mature, multi-dimensional assessment process, with a heavy reliance on heuristics and low reproducibility across instances. At the same time, it’s likely you won’t have thought of everything or implemented defenses against every possible attack. It’s very unlikely you have a home defense management plan or have ever run a penetration test against your home. As we build software, regardless of whether we’re in an agile or a waterfall world, we need agreement on what we’re building, what we’re not building, and what we’re doing to ensure we’re building the right thing. In the past few years, a perception that threat modeling is a heavy, bureaucratic process has been generated. There are some good reasons to move toward adding processes; I’d like to talk about them, some lessons learned from these processes, and how to put the fun back in threat modeling while making it an efficient, agile-friendly activity that anyone can do. There are more threat modeling methods out there than I can dream of covering in one column. There’s also a tremendous diversity of goals. Should your threat modeling process be fast or deep? Should it focus on assurance and completeness, or ease of use? Should you involve experts or developers in every meeting? Do you have organizational or industry rules you need to follow, such as the Microsoft® Security Development Lifecycle (SDL) or the rules for medical device manufacturers? The high level objective should be to understand security issues early so you can address them in the design rather than try to overcome design flaws later. Some of the major ways to approach threat modeling activity include the following: Assets Asset-driven threat modeling is much like thinking about what you want to protect in your house. You start by listing what assets your software has associated with it, and then you think about how an attacker might compromise those assets. Examples include a database that stores customer credit cards or a file that contains encrypted passwords. Some people may interpret an asset as an element of the threat modeling diagram, thinking that a Web server itself is an asset. That way lies madness. Digital assets are things an attacker wants to read, tamper with, or deny you the use of. Attackers Attacker-driven threat modeling involves thinking about who might want your assets, and it works from an understanding of their capabilities to an understanding of how they might attack you. This works great when your adversary is a foreign army with a known strategic doctrine, physical world limits, and long-leadtime weapons systems development. This works less well when your adversary is a loosely organized group of anonymous hackers. More generally, it’s not clear this is useful in software threat modeling. There are certainly people for whom “think like an attacker” is an effective part of design analysis. It’s less clear that this is a reproducible process in which people can get training. If you’re going to start from attackers, it’s probably worth using a standard set. It will be helpful to have a small set of these anti-personas written out. Approaches to Threat Modeling There are many things called threat modeling. Rather than argue about which is “the one true way,” consider your needs and what your skills, abilities, and schedules are, and then work with a method that’s best for you. As part of that approach, some people ask, “What’s your threat model?” and “Have you threat modeled that component?” One is requirements elicitation, the other design analysis. At Microsoft, we almost always mean the latter technique. Figure 1 The Threat Modeling Process July 2008 117
Table of Contents Feed for the Digital Edition of MSDN Magazine - July 2008 MSDN Magazine - July 2008 Contents Toolbox CLR Inside Out Flex Your Data Data Points Advanced Basics Office Space Cutting Edge Data Services ADO.NET Data and WPF Transactions WCF P2P Test Run Security Briefs Foundations .NET Matters {End Bracket} MSDN Magazine - July 2008 MSDN Magazine - July 2008 - (Page Intro) MSDN Magazine - July 2008 - Contents (Page Cover1) MSDN Magazine - July 2008 - Contents (Page Cover2) MSDN Magazine - July 2008 - Contents (Page 1) MSDN Magazine - July 2008 - Contents (Page 2) MSDN Magazine - July 2008 - Contents (Page 3) MSDN Magazine - July 2008 - Contents (Page 4) MSDN Magazine - July 2008 - Contents (Page 5) MSDN Magazine - July 2008 - Contents (Page 6) MSDN Magazine - July 2008 - Contents (Page 7) MSDN Magazine - July 2008 - Contents (Page 8) MSDN Magazine - July 2008 - Contents (Page 9) MSDN Magazine - July 2008 - Contents (Page 10) MSDN Magazine - July 2008 - Toolbox (Page 11) MSDN Magazine - July 2008 - Toolbox (Page 12) MSDN Magazine - July 2008 - Toolbox (Page 13) MSDN Magazine - July 2008 - Toolbox (Page 14) MSDN Magazine - July 2008 - Toolbox (Page 15) MSDN Magazine - July 2008 - Toolbox (Page 16) MSDN Magazine - July 2008 - CLR Inside Out (Page 17) MSDN Magazine - July 2008 - CLR Inside Out (Page 18) MSDN Magazine - July 2008 - CLR Inside Out (Page 19) MSDN Magazine - July 2008 - CLR Inside Out (Page 20) MSDN Magazine - July 2008 - CLR Inside Out (Page 21) MSDN Magazine - July 2008 - CLR Inside Out (Page 22) MSDN Magazine - July 2008 - CLR Inside Out (Page 23) MSDN Magazine - July 2008 - CLR Inside Out (Page 24) MSDN Magazine - July 2008 - Data Points (Page 25) MSDN Magazine - July 2008 - Data Points (Page 26) MSDN Magazine - July 2008 - Data Points (Page 27) MSDN Magazine - July 2008 - Data Points (Page 28) MSDN Magazine - July 2008 - Data Points (Page 29) MSDN Magazine - July 2008 - Data Points (Page 30) MSDN Magazine - July 2008 - Data Points (Page 31) MSDN Magazine - July 2008 - Data Points (Page 32) MSDN Magazine - July 2008 - Data Points (Page 33) MSDN Magazine - July 2008 - Data Points (Page 34) MSDN Magazine - July 2008 - Advanced Basics (Page 35) MSDN Magazine - July 2008 - Advanced Basics (Page 36) MSDN Magazine - July 2008 - Advanced Basics (Page 37) MSDN Magazine - July 2008 - Advanced Basics (Page 38) MSDN Magazine - July 2008 - Advanced Basics (Page 39) MSDN Magazine - July 2008 - Advanced Basics (Page 40) MSDN Magazine - July 2008 - Advanced Basics (Page 41) MSDN Magazine - July 2008 - Advanced Basics (Page 42) MSDN Magazine - July 2008 - Office Space (Page 43) MSDN Magazine - July 2008 - Office Space (Page 44) MSDN Magazine - July 2008 - Office Space (Page 45) MSDN Magazine - July 2008 - Office Space (Page 46) MSDN Magazine - July 2008 - Office Space (Page 47) MSDN Magazine - July 2008 - Office Space (Page 48) MSDN Magazine - July 2008 - Office Space (Page 49) MSDN Magazine - July 2008 - Office Space (Page 50) MSDN Magazine - July 2008 - Cutting Edge (Page 51) MSDN Magazine - July 2008 - Cutting Edge (Page 52) MSDN Magazine - July 2008 - Cutting Edge (Page 53) MSDN Magazine - July 2008 - Cutting Edge (Page 54) MSDN Magazine - July 2008 - Cutting Edge (Page 55) MSDN Magazine - July 2008 - Cutting Edge (Page 56) MSDN Magazine - July 2008 - Cutting Edge (Page 57) MSDN Magazine - July 2008 - Data Services (Page 58) MSDN Magazine - July 2008 - Data Services (Page 59) MSDN Magazine - July 2008 - Data Services (Page 60) MSDN Magazine - July 2008 - Data Services (Page 61) MSDN Magazine - July 2008 - Data Services (Page 62) MSDN Magazine - July 2008 - Data Services (Page 63) MSDN Magazine - July 2008 - Data Services (Page 64) MSDN Magazine - July 2008 - Data Services (Page 65) MSDN Magazine - July 2008 - Data Services (Page 66) MSDN Magazine - July 2008 - Data Services (Page 67) MSDN Magazine - July 2008 - Data Services (Page 68) MSDN Magazine - July 2008 - Data Services (Page 69) MSDN Magazine - July 2008 - ADO.NET (Page 70) MSDN Magazine - July 2008 - ADO.NET (Page 71) MSDN Magazine - July 2008 - ADO.NET (Page 72) MSDN Magazine - July 2008 - ADO.NET (Page 73) MSDN Magazine - July 2008 - ADO.NET (Page 74) MSDN Magazine - July 2008 - ADO.NET (Page 75) MSDN Magazine - July 2008 - ADO.NET (Page 76) MSDN Magazine - July 2008 - ADO.NET (Page 77) MSDN Magazine - July 2008 - Data and WPF (Page 78) MSDN Magazine - July 2008 - Data and WPF (Page 79) MSDN Magazine - July 2008 - Data and WPF (Page 80) MSDN Magazine - July 2008 - Data and WPF (Page 81) MSDN Magazine - July 2008 - Data and WPF (Page 82) MSDN Magazine - July 2008 - Data and WPF (Page 83) MSDN Magazine - July 2008 - Data and WPF (Page 84) MSDN Magazine - July 2008 - Data and WPF (Page 85) MSDN Magazine - July 2008 - Data and WPF (Page 86) MSDN Magazine - July 2008 - Data and WPF (Page 87) MSDN Magazine - July 2008 - Data and WPF (Page 88) MSDN Magazine - July 2008 - Data and WPF (Page 89) MSDN Magazine - July 2008 - Data and WPF (Page 90) MSDN Magazine - July 2008 - Transactions (Page 91) MSDN Magazine - July 2008 - Transactions (Page 92) MSDN Magazine - July 2008 - Transactions (Page 93) MSDN Magazine - July 2008 - Transactions (Page 94) MSDN Magazine - July 2008 - Transactions (Page 95) MSDN Magazine - July 2008 - Transactions (Page 96) MSDN Magazine - July 2008 - Transactions (Page 97) MSDN Magazine - July 2008 - Transactions (Page 98) MSDN Magazine - July 2008 - Transactions (Page 99) MSDN Magazine - July 2008 - Transactions (Page 100) MSDN Magazine - July 2008 - Transactions (Page 101) MSDN Magazine - July 2008 - Transactions (Page 102) MSDN Magazine - July 2008 - Transactions (Page 103) MSDN Magazine - July 2008 - Transactions (Page 104) MSDN Magazine - July 2008 - WCF P2P (Page 105) MSDN Magazine - July 2008 - WCF P2P (Page 106) MSDN Magazine - July 2008 - WCF P2P (Page 107) MSDN Magazine - July 2008 - WCF P2P (Page 108) MSDN Magazine - July 2008 - WCF P2P (Page 109) MSDN Magazine - July 2008 - WCF P2P (Page 110) MSDN Magazine - July 2008 - Test Run (Page 111) MSDN Magazine - July 2008 - Test Run (Page 112) MSDN Magazine - July 2008 - Test Run (Page 113) MSDN Magazine - July 2008 - Test Run (Page 114) MSDN Magazine - July 2008 - Test Run (Page 115) MSDN Magazine - July 2008 - Test Run (Page 116) MSDN Magazine - July 2008 - Security Briefs (Page 117) MSDN Magazine - July 2008 - Security Briefs (Page 118) MSDN Magazine - July 2008 - Security Briefs (Page 119) MSDN Magazine - July 2008 - Security Briefs (Page 120) MSDN Magazine - July 2008 - Security Briefs (Page 121) MSDN Magazine - July 2008 - Security Briefs (Page 122) MSDN Magazine - July 2008 - Foundations (Page 123) MSDN Magazine - July 2008 - Foundations (Page 124) MSDN Magazine - July 2008 - Foundations (Page 125) MSDN Magazine - July 2008 - Foundations (Page 126) MSDN Magazine - July 2008 - Foundations (Page 127) MSDN Magazine - July 2008 - Foundations (Page 128) MSDN Magazine - July 2008 - Foundations (Page 129) MSDN Magazine - July 2008 - Foundations (Page 130) MSDN Magazine - July 2008 - .NET Matters (Page 131) MSDN Magazine - July 2008 - .NET Matters (Page 132) MSDN Magazine - July 2008 - .NET Matters (Page 133) MSDN Magazine - July 2008 - .NET Matters (Page 134) MSDN Magazine - July 2008 - .NET Matters (Page 135) MSDN Magazine - July 2008 - {End Bracket} (Page 136) MSDN Magazine - July 2008 - {End Bracket} (Page Cover3) MSDN Magazine - July 2008 - {End Bracket} (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.