Who should know what?

  • 1 November 2022
  • 5 replies

Userlevel 3

A question that comes up frequently in discussions: the manifesto says everyone should do threat modelling, but if we are not security specialists, what would be the value? Wouldn’t we just waste time bouncing our amateur ideas off each other?

I say - bring on the bouncing! Yes, it is better to have someone with security specialisation in the room, but a team that understands “What are we working on?” is practically guaranteed to find something useful when exploring “What can go wrong?”

Why is that the case? Because collaborative threat modelling excels at finding “Unknown knowns”. Whether you use STRIDE, prompt cards, EOP game, any brainstorming method really - the team members will confess all sorts of horrors that they haven’t realised are relevant before now. Debug functionality with remote access that nobody had removed since release v0.01. Shared accounts, authorisation bypasses, that "TODO" function they wrote ten years ago and somehow it was never prioritised.  

5 replies

Userlevel 3

on behalf of Avi:


Yay bouncing!


Userlevel 5

@AviD FYI 😁

Userlevel 1

Hahahaha! Lol @adamshostack …. (thanks @Shuning for the ping!)

But yes, I actually use that exactly for developers. I like to talk about finding hidden or implicit assumptions - we even do some exercises precisely around that, and use Socratic Questioning to great effect, senior architects love that. 

Plus, once you’ve stated your assumptions, they are no longer implicit, they’re explicit - or rather, stated requirements, and thats already something that PMs, architects, devs, and QA all know how to deal with :-) 

Userlevel 4

I learn something new whenever I work with a team to perform a threat model. Sometimes I learn from the devs or QA, and other times from product folks. The point is that everyone has a diverse perspective and knows the system according to their role. I never enter a threat modeling engagement knowing the most about what we’re modeling. I enjoy asking questions, half of which I think I know the answer to, the other half I’m not sure. 


I also find that such “bouncing” makes all future communication much more fluid, which, of course, helps to facilitate healthy culture around security.