Threat Modeling, then and now

Way back in the day, back when we were doing the initial threat models for the vista audio stack, I wrote a couple of articles about threat modeling and the process as I saw it then.

Well, I've now been through another round of writing threat models (I wrote three new threat models for beta2), two different sets of threat model training, and reviews of all the beta2 threat models, and I've realized that a bunch of my thinking about the threat modeling process has changed.

I'm still a 100% convert to threat modeling, there are a couple of potential issues in the audio stack that we probably wouldn't have thought of if we hadn't gone through the process.  But I've also come to realize that many of the things I wrote about last year were either naive or were unnecessary.

Some of the aspects of threat modeling I wrote about are critical - data flow diagrams, for example are the heart of a good threat model.  But others aren't nearly as important (threat trees, for example - it turns out that most people simply don't have the training to build a threat tree reasonably).

I'm also still a fan of the BTMBM, it helps to validate your threat model and ensure its completeness, but I'm not that it's the core of the threat modeling process - when I wrote that early article, I didn't realize how critical the DFD was in building a good threat model.  Nowadays, I've come to realize that if you've got a good DFD, you can build a good threat model.

Btw, there are now some other resources on threat modeling available from Microsoft, including the applications threat modeling team's blog. Peter Torr also wrote a great article for IEEE Security&Privacy entitled "Demystifying the Threat-Modeling Process".  Unfortunately that last one's not available online, IEEE charges $19.00 for the PDF for the document (unless you're an IEEE member, in which case it costs somewhat less), but you may be able to find it in a library (it's from the September/October 2005 issue).