Threat Modeling Unnecessary?

  • 6 September 2023
  • 6 replies
  • 127 views
joshdub
Rank
Userlevel 2
Badge

It’s easy for everyone in security to agree on doing extra work to create secure systems. In my experience, it seems that once we begin to socialize or implement the process/idea/system/etc. there is pushback from others. Threat modeling is no exception.

Implementing change, even if it is for the good, is difficult. Has anyone engaged with pushback to threat modeling? Either as a security practice or specific details in the methodology?

If so, I’d love to hear your thoughts on how the pushback was approached. Or, like my kids would say, how did you clapback??

Josh, out.

6 replies

Mark Merkow
Rank
Userlevel 2
Badge

Josh-

It’s true that people are resistant to change and even more resistant if the introduction to threat modeling is done poorly - like if a system is scoped too large to analyze or if the threat modeling coordinator fails being flexible or acts too strict, without allowing participants to learn while doing.  Any of these situations will put a ‘bad taste’ in the mouth of wannabe threat modelers and discourages them from trying it again on another project.

The solution then is to avoid boiling the ocean and constraining the scope of the modeling exercise so that people naturally understand where the weak links are, why they’re weak links, and what to do about them.  This takes practice and commitment to using threat modeling for producing useful and actionable information that proves it’s worthwhile engaging in it.  Once converted, those people will become your biggest advocates!

Shuning
Rank
Userlevel 6

Josh-

It’s true that people are resistant to change and even more resistant if the introduction to threat modeling is done poorly - like if a system is scoped too large to analyze or if the threat modeling coordinator fails being flexible or acts too strict, without allowing participants to learn while doing.  Any of these situations will put a ‘bad taste’ in the mouth of wannabe threat modelers and discourages them from trying it again on another project.

The solution then is to avoid boiling the ocean and constraining the scope of the modeling exercise so that people naturally understand where the weak links are, why they’re weak links, and what to do about them.  This takes practice and commitment to using threat modeling for producing useful and actionable information that proves it’s worthwhile engaging in it.  Once converted, those people will become your biggest advocates!

Thank you @Mark Merkow for the input! 👍

As Mark mentioned, effective scoping is one of the key strategies to bring people onboard and gain trust from “doubters.” To those looking to learn more about scoping, we’ll be discussing the best practices/success/challenge at our upcoming meetup led by @RobertHurlbut. Come join us!

 

~Shuning @Threat Modeling Connect~
chrdal75
Rank
Userlevel 2

Anything that might create more work is always met with resistance. A few things that I try to do it show how this will reduce your work in the long term. Mitigating risk early is much easier than dealing with the fallout of a poor design in production. I also decouple any type of monolith if possible. 

If we can make TM part of the Agile dev process it is also much easier to consume. 

izar
Rank
Userlevel 4
Badge

If I may shamelessly plug myself in there, I spoke exactly about that at LASCON 2022: "No, We Won't Be Threat Modeling":

“Threat Modeling has been growing as a discipline for the last few years, and much has been said about methodologies, how-to's, what to expect, what value to extract from it, and how to get it into the organization. But we haven't explored as much the failing modes of that introduction - how security practitioners can deal with individuals or organizations that are less receptive of the idea of Threat Modeling, can't see the value, don't have the resources or are just plain not interested in it. In this talk we will explore ways to deal with hearing "no" about Threat Modeling, and how to turn that into a "yes, but" that will eventually grow into a "yes". This talk is aimed at anyone with an interest in the process of Threat Modeling and in the process of adding Threat Modeling as a tool to their practice. Developers, Managers and Security Practitioners should all leave this talk with a number of tested suggestions on how to meet and surpass the most common obstacles to introducing Threat Modeling at an organization of any size.”

Feedback most welcome :D

"No, really - what could _possibly_ go wrong?"
JamesR
Rank
Userlevel 3
Badge

I had to google clapback. lol My kids have not made it to that stage thankfully.

Change is hard, especially when it forces an organization to “call their baby ugly” or confront technical debt from forced integrations of years gone by and then we add to that dynamic the reality that threat modeling late stage systems or applications is going to require rework/additional work for colleagues which heightens stress. 

Good change management operates at three levels. 

  1. Intellectual agreement - Does the team agree that threat model is beneficial for the organization, for the stakeholder, and ultimately for their role? 
  2. Emotional agreement - Does the team FEEL like this is not just checking a box and is actually making a difference in their lives and the lives of their customers. Shifting left is a great emotion agreement driver. The further left we shift, the less rework everyone is going to have. Secure by default before systems are authorized, before code is written. 
  3. Make the right way the easy way - Have we removed the obstacles from doing the right things vs the former way? If the new process is more difficult, has higher hurdles, a tremendous learning curve, you will find that users will soon forfeit to the former process. 

Integrating these items into the introduction of threat modeling in a formal fashion should hopefully reduce the change friction. 

James Rabe
Ajay
Rank
Userlevel 2

Threat modelling has been around for a while and is one form of activity in securing your environment. I would say yes it’s necessary and particularly so when you consider the rise in zero day attacks over the recent years. With the huge amount of vulnerability information available in the public domain to consider when threat modelling, it would be no surprise why there is “clapback” ! The key to this to get your stakeholders onboard and engaged and help them to realise the benefits of this activity (and drawbacks without it). Fortunately, over the recent years also, threat modelling tools have come to the fore to help make this activity much easier.

Reply


Terms and Conditions, Community Guidelines and Privacy.Cookie settings
V2