Today we’d like to quickly point you to an article written by Dana Epp called “The Evolution of Elevation: Threat Modeling in a Microsoft World,” which begins like this:
“I’ve been asked to give a history of threat modeling from the perspective of an outsider looking at Microsoft. While I’m flattered by the idea, I’m also petrified. I have my own views of what has happened over the past 15 or so years, and I suspect I’ll contradict the views of some people I respect at Microsoft. That said, I welcome the opportunity for those people to email me at email@example.com and let me know what I might have missed. Or, let the world know and open the conversation on Twitter by sending a tweet to @danaepp. What follows is my view on the evolution of threat modeling, and where we have ended up in 2012.
The concept of threat modeling is not new—you can’t design a secure system until you understand the threats to it, and what weaknesses an adversary might exploit in the system. Thus, threat modeling.
I remember reading an interesting article on attack trees, written by Bruce Schneier and published in Dr. Dobbs Journal in 1999. Attack trees are a formal approach to model threats against computer systems that breaks down how a system can be attacked, node by node. It then assigns values on how probable a breach is. Attack trees help expose the attack surface of systems and software components, and the probability of attack. You can even assign a monetary value to each node to assist in quantitative risk analysis, allowing you to get to the heart of the areas on which you really need to work.”
We’re not pointing to Dana’s article because of its mentions of Microsoft Press (we swear). Dana’s history is full of interesting details. Enjoy!