From the course: Learning Threat Modeling for Security Professionals
A simple approach to threat modeling
From the course: Learning Threat Modeling for Security Professionals
A simple approach to threat modeling
- At the heart of threat modeling are four incredibly simple questions: what are we working on, what can go wrong, what are we going to do about it, and did we do a good job? We use these questions because they're easy to remember. The first question is about the project we're working on at the moment we kick off threat modeling. The four questions together give structure to our threat modeling work. They work in an Agile world or a Waterfall one. They work for all sorts of projects: apps, web services, microservices, infrastructure, networks, and even the things that make up the Internet of Things. If you want to be old-fashioned, they even work for boxed software and enterprise apps. The specific answers to the four questions might look different when working on different sorts of projects. The way to describe a microservice is different than the way to describe a network, but the questions, the principles, and the approaches remain the same. We start with what are we working on because, well, if you can't answer that, most other questions are going to be pretty frustrating. I'll use the Red30 Advertising Network as my model, and for this project, we're adding autoplaying media. Our customers are really excited about the opportunity to engage eyeballs with catchy jingles at unexpected times. (deep sigh) Let's make sure we do so securely. You might see other frameworks out there for how to threat model, ones that say start from a list of attackers or the things you want to protect. Both are attractive but hard to do right. Unless you're James Bond, you know less about your adversaries than you know about your current project, and starting by making a list of the things to protect can take you away from the scope of the project you're working on right now. There are other issues with the things you want to protect approach, but for right now, focus on what you're working on, because that's where you care about what can go wrong and what you're going to do about it, all of which makes it easier to do a good job.
Download courses and learn on the go
Watch courses on your mobile device without an internet connection. Download courses using your iOS or Android LinkedIn Learning app.