Threat Model Community Now?

Now is the moment to (finally) build a global community to knit together practitioners. Why? Because there are too many misunderstandings about threat models and methods and too little industry consensus. 

We haven’t yet defined a discipline. How do we teach? How do we support each other and those who are newer? What are the biggest challenges newbies face? 

Despite decades of discussion amongst a few experts, and numerous standards recommending or requiring threat modeling (though in the past under other names), threat modeling has too often remained a side-show, sometimes considered a “black art” only for the properly initiated. 

Recently, threat modeling has received a lot of public notice and discussion. Threat models are a topic du jour. OWASP added “secure design” to its Top 10. Presidents suddenly seem interested (Executive Order 1408). Experts seem to be coming out of the woodwork.

But do these erstwhile experts actually know what they’re talking about? How would someone without a fair level of experience judge expertise? In fact, what defines a “threat modelling expert”?

Take venerable STRIDE, which Microsoft pioneered about 20 years ago. What is it? What’s it good for? How does STRIDE fall short? 

These are really important questions, which I’ve long since answered for myself, my colleagues, and my students (partly based upon interaction with 100’s of practitioners and conversations with the likes of Robert Hurlbut @RobertHurlbut, Frank Swiderski, and Adam Shostack @adamshostack). But is there an industry consensus about STRIDE? Hardly.

Many times when I talk with security people, they will equate STRIDE with threat modeling. 

Based upon my anecdotal evidence, too many believe that one cannot threat model without STRIDE, which is patently ridiculous. STRIDE isn’t the only threat modelling method out there. Why (uselessly) categorize each attack in a model into one+ STRIDE categories? I worked at a consultancy that did exactly that, as though STRIDE were some sort of standard, which it most certainly isn’t. 

Please Don’t mistake me; STRIDE, used as intended, provides utility. I’m not trying to eliminate STRIDE or any other useful idiom. But where might an engineering dialog about STRIDE, its proper place amongst threat modeling techniques, its uses, its abuses take place?

Sure, Chris Romeo (@Chris Romeo) , Izar Tarandach (@izar), Adam Shostack (@adamshostack) , and I might chat about STRIDE while having an otherwise delightful dinner. Even if we entirely agreed (which is unlikely), how would the results of that chat make their way into a collective understanding of practice? Each of us has already put our distinct approaches into our respective books.

I submit that a community that fosters lively but safe interchange has been needed for a long time. Sure, there’s already some consensus amongst some of us. A glance  at the Threat Modeling Manifesto will find that group’s areas of agreement. 

As Adam Shostack so wisely blogged a few years ago: technical review lies at the heart of robust engineering. 

Beyond those of us who’ve dedicated a significant part of our careers and public personas to threat modeling practice, where do we find wider input, gain the benefits from an “engineering review”? Where can we address some of the widespread misconceptions? Where can our (my) ideas get amended, refined, built upon? Where can we each go to learn from each other? 

Community. It’s been too long a-coming.