What's your favorite Threat Modeling methodology?


Userlevel 1
Badge

Since there are many different threat modeling methodologies (STRIDE, PASTA, DREAD, etc), I’d like to ask the community members:

Which methodology is your favorite, and why?

 

I’ve only used STRIDE and I’m eager to hear everyone’s thoughts on the others.


10 replies

Userlevel 3
Badge

Hi Brandon,
working without tool support I usually opt for STRIDE, but mostly because that was the first one I saw and therefore, that is the one I am most comfortable with.

One aspect you might consider is how you need to work with your findings later on: is your task “simply” to work down the findings list or do you need to channel your findings list (gaps) and later on you work progress in a broader risk management process. In the latter case, STRIDE can be a bit cumbersome as  it mostly shines in identifying threats. It does not provide much help in scoring or otherwise prioritizing the findings. It is certainly doable, but not neccessary straightforward at first or without having training in risk analysis methods. 

On the other hand, I do not see this as a limitation of STRIDE: I rather think about it as treating risk management / analysis as part of the broader picture or keeping it explicitly out-of-scope… at least I can not remember to come across any source linking STRIDE and risk management. 

Also the alternative methods considering risk analysis steps of some form after drafting out your initial threat model tend to use ovesimplified models anyway (think risk matrices, low-medium-high categorisation of some sort)...so you might be better off finding you own thruth here anyway :-)

Userlevel 1
Badge

I think “favorite” is the wrong term here.

It’s like asking “which bear is best bear?” It depends what you need the bear for. 

A better question, as @adamshostack often reminds us, is “which methodology is useful?” 

And IMO the answer can, and should, change depending on context. The product, the feature, the architecture, but also the team, the skills, the culture, as well as your goals from the threat modeling - e.g. do you need CYA documentation, or trying get devs to fix things quickly without you? 

STRIDE is very often (but not always) wonderful because it is easy to get started with, devs can build a mental model around this, and it is usually useful for finding important ways to secure the feature you’re building. 

OTOH, I will often prefer more lightweight approaches, e.g. with PMs or resource-constrained dev teams. Just enough to get them hooked, start making small improvements, and grow organically. 

Userlevel 4
Badge

I’ve had a love-hate-love relationship with STRIDE. When I started threat modeling and teaching others to model, I found STRIDE straightforward to explain and grasp. THEN I got headstrong and decided STRIDE was too simplistic. I wanted to jump directly into CWE with developers, and I got a rude awakening. I’m now back to loving STRIDE because it is simple and easy to explain. I hope that developers outgrow STRIDE within a few threat models, or even better, they internalize it and no longer need to think of it as a different methodology.

Userlevel 2
Badge

I use STRIDE to teach others how to threat model but do not use it. I sometimes use STRIDE-LM. I sometimes use PASTA, however doing so in a lightweight fashion can be challenging. I utilize attack trees because I find them useful regardless of methodology.

Userlevel 1
Badge

I think “favorite” is the wrong term here.

 

Thanks for the reply! My question is asking for an opinion so answers will naturally be subjective. Claiming a methodology as your favorite doesn’t automatically mean you think it’s the best. Ruby is my favorite programming language for reasons, but I wouldn’t call it the best because as you mentioned, it depends on the context..

What are some examples of your preferred lightweight approaches?

 

Userlevel 1
Badge

It does not provide much help in scoring or otherwise prioritizing the findings. It is certainly doable, but not neccessary straightforward at first or without having training in risk analysis methods. 
 

Have you used another methodology that helps with scoring and prioritizing findings?

Userlevel 1
Badge

I utilize attack trees because I find them useful regardless of methodology.

Attack trees have come up a few times in my threat modeling journey. Do you have any preferred resources that deep dive into attack trees?

Userlevel 1
Badge

I hope that developers outgrow STRIDE within a few threat models, or even better, they internalize it and no longer need to think of it as a different methodology.

That’s interesting, and brings up my next question:
Have you seen many instances of teams “outgrowing” a methodology? I imagine it can be a fairly organic change for mature orgs.

Userlevel 2
Badge

 

A better question, as @adamshostack often reminds us, is “which methodology is useful?” 

And IMO the answer can, and should, change depending on context. The product, the feature, the architecture, but also the team, the skills, the culture, as well as your goals from the threat modeling -

Yes, I’m definitely in this camp.  In my opinion one of the biggest determining factors is the frame of reference of the team.  If they’re familiar with security concepts, then STRIDE could work well.  But if they are developers and relatively new to security then I would go for something more technology specific like @izar ‘s https://github.com/Autodesk/continuous-threat-modeling or even starting with the OWASP ASVS and threat model backwards (start with the countermeasure and then figure out if you need it or not).

Userlevel 3
Badge

I hope that developers outgrow STRIDE within a few threat models, or even better, they internalize it and no longer need to think of it as a different methodology.

That’s interesting, and brings up my next question:
Have you seen many instances of teams “outgrowing” a methodology? I imagine it can be a fairly organic change for mature orgs.

Like Chris, I too have a love-hate-love relationship with STRIDE. 

I don’t think its possible to outgrow STRIDE. Leveraging STRIDE as a set of lenses to look at the system through, adding more lenses to look through can only be a good thing. 

Its great to have additional reference material to support threat modelers though. I think thats where the addition of things like Linddun, NIST, MITRE frameworks, etc can really help provide insight and knowledge to identify other threats.

Reply


V2