This post is a result of a conversation on the Application Security Podcast. Adam Shostack joined Robert and me, and the topic was remote threat modeling. We’re all living in this new world where we’re working from home. The question we pose is, how will we make progress on rolling out threat modeling when we can’t meet with people face to face and work directly on a whiteboard? If you’d like to hear the full conversation and see our attempt at remote threat modeling, you’ll find this episode on YouTube.
We’ve written extensively about threat modeling in the past, including “Threat modeling: better caught than taught,” where we expound upon the approach of teaching threat modeling by doing.
1. Choose your tool/approach.
Successful remote threat modeling begins by choosing the right tool and approach and keeping collaboration top of mind. Make sure everybody has similar tools.
When choosing a tool, you have two options: drawing tools and threat modeling tools. Drawing tools exist to create various types of pictures, not threat models precisely. They do tend to provide a remote angle, allowing collaboration as a primary feature. Drawing tools can be augmented to perform threat modeling remotely.
A drawing tool allows you to create diagrams, get consensus around what you’re working on, and where the trust boundaries are. You’ll consider how the assembly of your application, what the components are, and manage your threat modeling work. You can use the drawing tool to help with the analysis of what can go wrong, but you’ll want to use a separate approach to track your threats, as the drawing tool does not do this natively.
Adam did an investigation and evaluated five different tools. He concluded that Miro was an excellent option to begin working with to perform the drawing phase of threat modeling. Miro is what we used in our experiment.
Note: None of us have any vested interest in Miro’s success other than we’re threat modeling people, and we want to figure out how to do this better remotely.
One advantage of Miro is its remote collaboration capabilities. We were able to build out a threat model quickly (based on a pre-created template) and work together on it from three different locations. The collaborative features allowed us to each see what the others were working on in real-time.
Threat modeling tools
In the OWASP world, we have OWASP Threat Dragon, about to release version 1.1. It’s free and open source. We’ve written about OWASP Threat Dragon in the past, “Why OWASP’s Threat Dragon will change the game on threat modeling.”
The challenge with the current version of Threat Dragon is scale. There are a series of Enterprise features that Threat Dragon will need to be effective at the Enterprise level. Adam was at Microsoft and Chris was at Cisco, and both acknowledged that the tool is something to keep an eye on or do a small proof of concept with but needs more work for the Ente
Continuum’s IriusRisk is a Threat Modeling platform that uses a data flow diagram and questionnaires and is oriented towards an enterprise and working across many separate threat models. This tool is worth a review if you are considering how to scale threat modeling remotely.
2. Be collaboratively deliberate.
Many tools exist for remote collaboration today, from Zoom, WebEx, BlueJeans to Google Hangouts. The technology is there, but the bigger question is how we put this technology into use to facilitate threat modeling.
Focus on using technology in such a way as to avoid friction. Tools should naturally allow collaboration inside the solution, or you use other video screen sharing tools that enable many folks to see a screen or see multiple screens at the same time.
When teaching threat modeling, some hate the idea of video-based sharing. The benefit of employing full video with remote threat modeling is the ability to read the room and determine how people are engaged. If someone appears to be distracted, video allows you to invite them back into the conversation, not by embarrassing them, but by asking a question to get them to re-engage in the threat modeling process.
Our advice is to enable video and focus on deliberate collaboration in your remote threat modeling sessions.
3. Set up your tool/approach in advance of your remote threat model.
One lesson learned is to ensure you properly prepare for your remote threat modeling session. We found in using Miro that we had to sign up for accounts and share a Board to collaborate as a group. If you are approaching remote threat modeling with your team, create a set of instructions on what developers need to do in advance of the session.
Another setup step is to create your data flow diagram template before the start of your first session. It will be a terrible experience for your threat modeling student to sit quietly for the first ten minutes of the meeting while you create the template and try to verbalize and draw at the same time. Build the template in advance as preparation for a successful teaching session.
We are all living in strange times right now, with everyone working from home. Based on our experimentation, we’ve found that remote threat modeling is not only possible but can be very productive as we embrace this new world. The key to successful remote threat modeling is to choose the correct drawing or threat modeling tool from the beginning and set up your tool and template to serve your threat modeling student best.