Threat Modeling Exercises

Table of Contents

Threat modeling is a collaborative exercise through which members of an organization can discuss the ways in which the products and features they are working on could be attacked, compromised, or abused in order to discover, document, and prevent potential threats.

Of all the ways in which a company could spend their time, money, and effort in order to improve their security, threat modeling exercises provide the best value and results.

The reasons for this are because they involve the key members of the teams who know the product better than anyone. It's not a time-consuming process -- typically a full threat modeling exercise can be completed within 2 to 3 hours -- and it comes with additional benefits, like educating colleagues about aspects of the product or features that are outside of their focus area.

Entire books have been written about threat modeling, which is quite an extensive subject. My belief is that many organizations, typically large ones, tend to overcomplicate the process through the use of flow charts, org charts, workflow diagrams, and architecture diagrams. The creation and maintenance of these require more time spent on documenting the process than they do on the core results of the exercise. Essentially, they turn what should take a few hours through a team effort into a full-time position for at least one individual. I recommend avoiding this type of work and the overly-complex threat modeling software that exists -- these are a waste of time for most organizations, especially those who are just getting started with their first threat modeling exercise. In a world where a new microservice can be spun up in a matter of hours, complex threat modeling diagrams will be grossly outdated before you even complete them.

In this chapter, I'll walk you through the lightweight process that I've used with my clients step-by-step so that you can successfully apply threat modeling with your teams at your company.

Lightweight vs Heavyweight#

"All models are wrong but some are useful." - George Box

It seems as though every mention of threat modeling is required to include this quote. Don't get me wrong -- it's a great quote and the reason why will become quite clear when I describe my own lightweight approach. Assuming that all models will be wrong, I prefer models that may lack detail but are up-to-date. Put another way, this lightweight approach ensures that the model is low-resolution and current instead of high-resolution and outdated.