This post was written by Chris Romeo during his tenure at Security Journey.
Threat modeling has always been a dream of mine. Not that I sit around and dream of threat modeling all day, but I dream of embedding a process of security threat modeling within an entire development organization.
Threat modeling, the process of discovering potential security vulnerabilities in a design and eliminating those vulnerabilities before writing any code, fits best during the stage of planning and designing a new feature. When threat modeling is firing on all cylinders, an organization is creating more secure software.
What if I told you that you already know how to threat model, and that you threat-model every day? Think about when you left the house this morning. You closed the door behind you and you began to threat-model the area around you. You heard cars rushing by on the street, exceeding the speed limit. Threat. You heard a dog barking from the direction where you needed to walk. Threat. The sun was beating down on you. Threat. You threat-model all the time as you consider how these different events could damage your person. Threat modeling technology is just applying these same principles to software.
Threat modeling is a state of mind
I’ve found in my 20-plus-year career in security that threat modeling is more than just a tool; it’s a state of mind. Threat modeling is most impactful when it moves from a developer process to a developer state of mind. In the beginning, developers use the process to assist in understanding the steps and repeating the results.
As developers become more proficient with threat modeling, the security light bulb goes on over their heads, and their thinking changes. They choose more secure design options without thinking about it. Tooling is important because it lays the foundation of how to perform the threat modeling process and makes it available to a large group of people simultaneously.
The challenge with teaching an entire organization to threat model is that there were no decent, simple tools that simplified the process and were usable, until now. Threat modeling is not a new concept. Microsoft pioneered this idea within its SDL years ago, including the development of the STRIDE methodology, which drives threat modeling.
It even created the first tool on the market, and it has updated it a few times over the years. It’s not a bad tool, but it only runs on Windows and focuses its use cases on Windows services and Azure cloud solutions. This is a deal breaker for most of the companies that want to adopt an enterprise approach to threat modeling. With all the diversity of OS and platforms, plus mobile, a web-based solution is needed.
Over the last several years, a cottage industry of threat modeling consultants and purchasable tools has sprouted up. The challenge with threat modeling consultants is that most of the ones I have encountered do not understand how to tailor threat modeling to a given enterprise. They teach a single, one-size-fits-all process. This approach makes developers mad, because it does not directly apply to the software they build.
I’ve examined the other tools on the market, and my complaint with them all is that they are too complex. For true enterprise adoption of threat modeling, any tooling that drives the process must be easy to learn and use.
Enter the Threat Dragon
As an industry we are in luck, because there is a new open-source tool, just released to alpha, called the OWASP Threat Dragon. OWASP Threat Dragon is web-based and easy to use and adopt. This tool is the first real open-source product that can be used to make threat modeling a reality in all organizations.Mike Goodwin is the author of Threat Dragon. Here are his three primary objectives for this tool.
1. Provide a great user experience that is simple to use.
To be adapted to any industry, the UX has to be great.
2. The tool will contain a threat/mitigation rule engine.
This is important, because the rule engine is how you make a threat model useful to a developer who has no knowledge of security. You have the developer draw a picture of something he knows (his feature), and then use the rule engine to “detect” potential vulnerabilities and suggest them to the developer. The rule engine teaches the developer how to detect security problems in design.
3. Integrate Threat Dragon with other development tools.
The aim: to provide developers with a cohesive solution for secure design and code. When you first visit the Threat Dragon page, you’ll notice that the only authentication option currently available is GitHub. This is because Threat Dragon is designed to store your threat models with your existing GitHub projects. The idea is that threat models are stored close to the final code so they can be considered when creating new features or updating an existing feature.
How you can get started with Threat Dragon
Your first step as a Threat Dragon modeler is to create a threat diagram. That's just a simple data flow diagram that shows how information moves from the external side (user land) of an application, and how it flows into the internals of an app. The threat diagram is kept simple by providing only process, data store, actor, data flow, and trust boundary for you to use to draw your feature. We can thank Microsoft for defining this simple set of shapes in its Threat Modeling tool.
After you are happy with your diagram, you begin the process of identifying threats. Because this tool is still in alpha, the rule engine has not yet been coded. This does not stop this tool from being useful, though. STRIDE is a fundamental set of possible threats (Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, and Elevation of Privilege). Even in its current state, you can create threats from those categories on your threat diagram. In the future, the rule engine will do much of this heavy lifting for you directly.
Threat modeling gets real
OWASP Threat Dragon is in its infancy, but it has the makings of a powerful tool that is still easy enough to teach to an entire army of developers. Threat Dragon is poised to quickly overtake the industry as the best possible choice for threat modeling. With the release of the OWASP Threat Dragon, there is now a threat modeling tool that can be adapted to any industry.
I look forward to the opportunity to roll this tool out across an entire organization and make my dream come true.