Threat Modeling Collaboration

Questions and Answers

What is the primary purpose of using different colors in collaborative editing, as suggested in the content?

• To make the diagram look aesthetically pleasing.
• To categorize threats based on their severity.
• To highlight the most important parts of the diagram.
• To visually differentiate contributions from different participants. (correct)

According to the content, it is advisable to threat model an entire system at once to ensure comprehensive coverage.

False (B)

Name one collaboration tool mentioned in the text as being successfully used for threat modeling.

Mural

Deciding the right focus and level of detail for a threat modeling session is called 'identifying the ______'.

scope

Match the example scopes with their descriptions:

Scope in current iteration = Focuses on the security aspects of the code and features being developed in the current development cycle. An upcoming security sensitive feature, such as a new user registration flow = Specifically targets features that involve handling sensitive user data or access control. The continuous delivery pipeline and delivery infrastructure = Involves assessing the automated processes and systems used to build, test, and deploy software.

Which of the following strategies is recommended for managing large groups in remote threat modeling sessions?

Divide participants into smaller groups and then consolidate their output. (C)

According to the content, remote threat modeling sessions typically require fewer breaks than face-to-face sessions due to reduced physical strain.

False (B)

What specific deliverable is provided by Mona Fenzl and Sarah Schmid to help teams start threat modeling with a collaboration tool?

Threat modeling template

In which scenario might threat modeling be focused to expose authentication flaws specifically using mathematical proofs?

Verifying collision resistance in cryptographic hash functions used for digital signatures (D)

Which of the following best describes the core purpose of threat modelling according to the article?

To identify potential security risks and plan defenses. (C)

The article suggests that complex and exhaustive upfront analysis is the most effective way for modern software teams to implement threat modelling.

False (B)

What is identified as a significant driver for the increasing importance of threat modelling in software development?

Rising cyber security risks

To make threat modelling more accessible and effective for development teams, the article advocates starting with a _____ approach.

simple

Which strategy for simplifying threat modelling is NOT explicitly mentioned in the article?

Focusing on compliance requirements first. (A)

What frequency of threat modelling does the article recommend for integration into modern software development workflows?

Little and often

According to the article, effective threat modelling is crucial because enterprises are becoming more aware of their _____ related to cyber security.

liabilities

What is the primary purpose of threat modeling?

To identify potential ways to attack or compromise a system. (D)

During a threat modeling session, it is more beneficial to focus on the 'happy path' rather than exploring a wide range of possible threats.

False (B)

Name one technique mentioned for encouraging diversity of thought during threat brainstorming sessions.

Ensure everyone has access to pens and stickies and suggests at least one potential threat regardless of background or experience.

The Thoughtworks' set of cards designed to improve the understanding of security concepts are called ______ cue cards.

STRIDE

Match the following security concerns with their corresponding questions.

Data Overflow = Can the data overflow and become instructions? Lack of Evidence = If there's no evidence, its easy to deny it happened Service Interruption = Could the service be taken down? Circumvention of Protections = How easy is it to circumvent protections?

During the brainstorming phase of threat modeling, what principle should guide the generation of ideas?

Accepting all ideas without judgment. (B)

What is a key recommendation for managing discussions during the initial threat brainstorming phase?

Postpone in-depth debates about the validity of threats. (C)

Constraints at a technical level are irrelevant in preventing cybersecurity losses.

False (B)

Prioritizing threats should be the first step in the threat modeling process, before brainstorming potential attack vectors.

False (B)

List three examples, provided by the content, of captured threats that could be written on a sticky note.

SQL injection from Internet, lack of encryption in database, no Multi-Factor authentication

What is meant by 'evil brainstorming' in the context of security?

Coming up with ways to attack, break or frustrate a particular bit of software.

In the context of threat modelling, what does 'Follow the data-flow lines!' encourage you to do?

Trace the path of data to identify potential vulnerabilities at each step. (C)

Attackers often exploit trusted data flows within a system to move around. This movement is often called ________?

pivoting

A security team discovers that an internal web application lacks input validation, potentially making it susceptible to cross-site scripting (XSS) attacks. An attacker successfully exploits this vulnerability to inject malicious JavaScript into the application. When legitimate users visit the compromised page inside the web application, the injected script executes within their browsers, stealing their session cookies, the attacker then uses these cookies to access sensitive customer data stored in the application's database. Which security principle from the list below would best address this type of threat?

Defense in Depth (D)

A common anti-pattern during threat brainstorming involves someone saying 'Yeah but...', which often leads to premature ______ that can stifle the creative process.

debates

A publicly accessible internet environment is generally considered to pose a greater security risk than a properly secured backend network.

True (A)

In system diagrams, the divisions between distinct networks are commonly marked by what are known as ______ boundaries.

authorization

What is the primary purpose of depicting data flow in a system diagram during a threat modeling exercise?

To visualize the movement of information and identify potential threat pathways. (A)

Define 'assets' in the context of system security as described in the provided text.

Assets are information or services within a system that hold business value and require protection to maintain confidentiality, integrity, and availability.

Match the following terms with their descriptions in the context of network security and threat modeling:

Authorization Boundary = Demarcation line between different security zones. Data Flow Diagram = Visual representation of information movement. Gateway Device = Component like a firewall or load balancer. Assets = Valuable data or services requiring protection.

In which scenario would omitting the illustration of gateway devices like load balancers or firewalls in a system diagram be considered acceptable during a threat modeling session?

When the session's scope is narrowly defined and gateway devices are deemed less relevant to the immediate objectives. (A)

Briefly explain why the open Internet is characterized as more hazardous compared to a well-secured backend network, even when the backend is cloud-hosted.

The open Internet is inherently more dangerous due to its public accessibility, vast scale, and exposure to a multitude of unknown and potentially malicious actors, unlike a backend network which is designed with access controls and security measures.

What is the MOST critical reason for explicitly identifying and illustrating authorization boundaries in a system diagram during the initial stages of threat modeling?

To clearly delineate areas where security responsibilities shift and different controls are needed. (A)

Creating a data flow diagram directly supports threat brainstorming by visually outlining potential pathways for threats to propagate through the system, making it easier to ask 'What can ______ go wrong?' at each stage.

data

What is the overarching goal of conducting a threat modeling session, as described in the provided text?

To systematically brainstorm and identify potential security threats relevant to a system. (A)

Flashcards

Threat Modeling

A risk-based approach to designing secure systems by identifying and mitigating threats.

Mitigation

Identifying potential threats and developing ways to reduce their impact.

Threat Modeling 'Little and Often'

A collaborative approach to threat modeling, done frequently in small increments.

Start From the Technology

Beginning with the specific technologies used in the system to identify potential threats.

Collaborative Approach

Involving multiple people and roles in the threat modeling process to get different perspectives.

First Key Question to ask?

What could go wrong?

Third Key Question to ask?

What are you going to do about it?

Collaborative Editing

Working together on a document in real-time.

Block Diagrams

Graphical representations of system components and interactions.

Color Coding

Using visual cues to categorize and prioritize information.

Scoping the Session

Selecting the appropriate boundaries and detail for an activity.

Value-Driven Focus

Focusing on the most valuable aspects during a session.

Timeboxing

Breaking down a task into smaller, more manageable parts.

Continuous Delivery Pipeline

A development approach focusing on continuous integration and deployment

Delivery Infrastructure

The underlying tech that supports software releases and runs the applications.

Security Sensitive Feature

Features that involve sensitive data or critical functionalities.

Authorization Boundary

A delineation between different security zones, often representing different levels of trust or control within a system.

Security Assets

Valuable data or services that need protection, including confidentiality, integrity, and availability.

STRIDE

A mnemonic (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) used to brainstorm security threats.

Spoofing

Assuming someone else's identity for malicious purpose.

Tampering

Maliciously altering data or code.

Repudiation

Denying responsibility for an action.

Information Disclosure

Exposing information to unauthorized individuals.

Denial of Service (DoS)

Preventing legitimate users from accessing a service.

Elevation of Privilege

Gaining higher-level permissions than you should have as a standard user.

Brainstorming Rule

During brainstorming, all ideas are welcome, and there are no incorrect answers.

Attacker Pathways

Attackers exploit the same data pathways within a system as trusted users.

Cause of Cyber Losses

Cybersecurity losses happen when technical safeguards are insufficient.

Capturing Threats

Quickly capture each threat, including enough detail to understand and annotate on the diagram.

STRIDE Application

Think about the different ways that STRIDE concepts might apply to a data-flow.

Security Concepts

Security concepts to understand before starting a project.

STRIDE Cue Cards

A set of cards created by Thoughtworks to aid in learning the six security concepts.

Brainstorming Threats

Suggesting as many threats as possible related to a system or application.

Diversity in Threat Brainstorming

Encouraging diverse perspectives and ensuring everyone participates in threat suggestion.

Postpone Threat Debates

Postponing debates about the validity or impact of suggested threats to a later stage.

Follow the data-flow lines

A technique to visualize potential vulnerabilities and risks by analyzing the flow of data in a system.

Study Notes

• Threat modeling is a structured approach to designing secure software by identifying threats and developing mitigations.
• It has been used by modern software teams as it aims to prevent cyber losses over the lifetime of the system

What is Threat Modeling?

• Involves identifying threats, attacks, vulnerabilities, and countermeasures.
• Many causes combine to result in security losses

Principles of Threat Modeling

• Start from the technology, specifically the system's data and services.
• Take a collaborative approach to gather diverse perspectives.
• Integrate threat modeling into the software development lifecycle.

Threat Modeling Process

• Preparing to start, which involves answering three key questions
• It is important to spend about a third of your time answering each question in each threat modelling session.

Explain and Explore

• What are you building technically?
• Outcome: Technical Diagram

Brainstorm Threats

• What can go wrong?
• Outcome: A list of all possible technical Threats

Prioritize and Fix

• What is the team going to do to fix the threats?
• Outcome: Prioritized fixes added to backlog

Preparing to Start Threat Modeling

• Planning should involve both technical and non-technical team members.
• Sessions should be time-boxed for efficiency.
• It is recommended that teams Threat Model every sprint without fail (once you get started)

Explain What You Are Going To Build

• Diagrams are designed to communicate
• Draw a 'lo-fi' technical diagram of the system

Guidelines for Lo-Fi Diagrams

• Illustrate the components and the main data flows involved.
• Represent and label each type of group users usually have, and who they are
• Show assets, particularly the personally identifiable information

Brainstorm Threats: What Can Go Wrong?

• Use STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to help categorize threats.
  • Spoofed Identity: Can someone impersonate another?
  • Tampering with Input: Can data be altered maliciously?
  • Repudiation of Action: Can actions be denied?
  • Information Disclosure: Can sensitive information be exposed?
  • Denial of Service: Could service be taken down?
  • Elevation of Privilege: How easy is it to circumvent protections?

Prioritize and Fix: What are you going to do about it?

• Prioritize threats by risk, considering business value and broader threat landscape.
• Identify top riskiest threats through group voting.
• Capture security fixes in the backlog, defining concrete next steps called controls, mitigations, or safeguards.

Types of Security Fixes

• Acceptance Criteria: Extra scope on existing stories, reflecting authorization checks.
• Stories: Implement a particular control or split from an existing story.
• Timeboxed Spikes: Investigate vulnerabilities or find the best solution.
• Definition of Done: Conditions and acceptance criteria for feature completion.
• Epics: Significant bits of security architecture identified during threat modeling.

Improving Threat Modeling Practice

• Conduct retrospectives to evaluate and refine the process.
• Experiment with different diagram types and domain-specific threat libraries.
• Complement threat modeling with automated tools in the software delivery pipeline.

Conclusion

• Effective threat modeling helps the security understanding across the whole team
• It is a proactive way to manage cyber-risk.
• It is a transformative and collaborative practice.
• Run threat modelling and promote it in any software team.