Threat Modeling vNext

Written by

Posted on 1 Comment

You may have read that Threats Manager Studio is based on Threat Modeling vNext. But what really is this Threat Modeling vNext? This article tries to answer this question, with the help of some articles published on the Simone On Security blog.

Threat Modeling vNext is an evolution of some of the current approaches. In particular, it represents an evolution of Microsoft’s STRIDE approach. Being designed by Microsoft employees, it is only natural to use that experience as a starting point. Threat Modeling vNext does not represent a revolution, though: many of the original characteristics have been maintained, and others have been changed.

In designing Threat Modeling vNext, we have tried to address some of the problems we faced during our Threat Modeling activities, including:

  • The Threat Modeling process has gradually degenerated, moving from an experience where the goal was to identify risks and mitigations without much help from the tool, to a situation where automation has been extremized. Neither those two approaches have given very good results: the first favors the experts, by improving their efficiency and effectiveness, but essentially makes impossible for non-experts to produce anything useful. The second approach tries to simplify the experience for non-experts but sometimes does it at the expense of the experts. The result is that both categories tend to produce mediocre results.
  • Sometimes automation is achieved by using complex knowledgebases defining entities, threats, mitigations, and how they must be applied. The problem of this approach is that maintaining those knowledgebases may be very complex, because they need to cover all the possible technologies and scenarios. Moreover, if you select a knowledgebase, you may not be able to switch to another at a later stage. As a result, you may not be able to cover all the topics you need to cover with your specific project.
  • Threat Modeling tend to be too expensive as a practice. This is clearly perceived as a problem by the wide public, proof is that organizations like Security Compass have defined accelerated processes.
  • The results obtained with Threat Modeling sometimes are not clearly differentiated from what could be achieved faster, for example with checklists or best practices.
  • Threat Modeling tools tend to be closed systems. For example, it is very hard to integrate them with other solutions, including LoB systems.
  • Threat Modeling covers part of a Risk Management process: the Risk Analysis. It can do much more: Threat Modeling could be at the center of the Risk Management process.
  • And finally, Threat Modeling is mostly an experience for Threat Modelers. Instead, it is a process to understand and manage Security Risks. As such, it interests many roles, including Technical ones like Developers and Architects, and non-Technical roles, like Project Managers and Product Owners. They have different needs and competencies, therefore it stands to reason that they should have access to the Threat Model in specialized ways. Still, many tools do provide only a single view, to cover a specific role.

Those ideas are summarized in the blog with the article Threat Modeling vNext Story, and then with a series of six articles, showing how different roles may need different experiences:

The final article the series, A single, authoritative and flexible tool for Threat Modeling, discusses the need to get a single tool to address most of those very specific needs, versus having specialized tools.

If you are interested in Threat Modeling vNext and want to learn something more, I would recommend you to watch a webinar I’ve recorded not long ago: Threat Modeling vNext, or Optimising Threat Modeling to Meet Your Business Needs.

This is the story and the reason why we have designed Threat Modeling vNext. But what really is it?

First of all, Threat Modeling vNext is a philosophy. It is the idea that Threat Modeling should not be a static process, but something very dynamic and flexible, capable of addressing multiple needs, to integrate with existing processes and to drive a sound Risk Management process. The process should give great liberty, defining only a few rules of the game. You can look at those rules as the letters that compose the alphabet, and therefore the alphabet would represent the concepts on which everything is built. Everyone can use those rules to create elements that would then be composed to create the final experience.

In practical terms, as part of this alphabet we have concepts like the Entities, the Flows and the Trust Boundaries, the Threat Types and the Mitigations. Those concepts are extremely lightweight: for example, you will not find a field to represent a STRIDE category for the Threats, because we do not want to require you to follow a specific categorization. If you really want to, you have the possibility to extend the metadata for objects using the concept of Properties and Property Schemas. You can also derive new concepts from the basic ones, creating for instance what we call Item Templates. Then, you can package it all in what we call Templates, which are nothing less than knowledgebases. Bottom-up composition is the mantra, in Threat Modeling vNext: this means that you can create your own experience by composing simple elements to create the experience you need. This is implemented by Threats Manager Studio (TMS) with the possibility to load Templates at any time: in fact, you may create your Threat Model out of a composition of zero, one or many Templates, as you like. With this approach, knowledgebases become suddenly manageable, because you may have many of them, each one very simple and managed by a part of the Community.

Threat Modeling vNext means also that we want to allow easy integration of Threat Modeling with other processes. Here, the key role is played by Threats Manager Platform, the Open Source Engine and SDK used to build TMS. With this new approach, the Threat Modeling tool would not be something closed, but a container of components, which are called Extensions. This allows to create a module to integrate the tool into Azure DevOps, for example, then everyone can install that module and synchronize its Mitigations as Backlog Items. Or a Company like Amazon could build an Extension to get the definition of some Cloud solution from AWS, to create semi-automatically a Threat Model. It even allows to re-host the Engine, for example in an internal site of your Organization: this would allow your Development Teams to upload their Threat Models and your site would be able to provide a fast evaluation of its quality of eventually submit to some expert for a review.

Your imagination is the limit.

As said above, one important characteristic we want to have out of a Threat Modeling vNext tool, is to allow users with different needs to get specialized views from the single truth, which is represented by the Threat Model itself. For example, Business Decision Makers may use tools like the Overview Dashboard, to get a look at what is the current risk, what they can do and what the effect would be.

The Overview Dashboard.

Another important issue we are trying to address with Threat Modeling vNext and Threats Manager Studio, is that it is too hard to get quality Threat Models fast. With TMS we have already achieved some remarkable results on that account, including the creation of a Threat Model for a production system in 12 hours, producing a complete report including a Roadmap of mitigations. With the previous process it would not have been possible to achieve the same quality, and even the best among us would have needed at least 40 hours.

Is it perfect? No, it isn’t. But it is a starting point.

Posted in Uncategorized

About the Author:

I have been a Consultant with Microsoft for 15 years and so. As such, I have gained strong competencies around Software Architectures and Methodologies with a focus on Microsoft technologies. I have been working for Microsoft in the Consultancy department since January 2000 mainly for Customers in the Financial sector. Now I am a Senior Premier Field Engineer on Security. In this role I am helping customers in adopting Microsoft Security Products, Technologies and Methodologies. Application Security is one of my main area of interests, even before joining Microsoft: the very reason why I have been hired by Microsoft are a set of articles I have written on Security and specifically on Cryptography between years 1998 and 1999. I am now a member of the Microsoft InfoSecurity Force European Team. As a Microsoft Employee, I have assumed the roles of Developer, Lead Developer, Architect and Microsoft Development Technologies expert. This has allowed me to work for important Banks and Financial Institutions like Intesa SanPaolo, Deutsche Bank, Monte dei Paschi di Siena and Unicredit, and also for P.A. Organizations like INPS, the largest social security and welfare institute in Italy and one of the most important on a European level. The gained experience can be applied to many contexts, not only on Financial Businesses, because it has been mainly focused around technology and soft abilities, like interpersonal awareness and interaction with different people and different organizations. On May 2016 I have assumed the role of Co-Lead of the Worldwide Microsoft Technical Community for the Security Development Lifecycle.

1 comment

  1. Pingback: Going Beyond - Threats Manager Studio

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: