Choosing the Right Threat Modeling Methodology
With new threats emerging exponentially in an increasingly networked ecosystem, threat modeling has transitioned from a theoretical concept into an information security best practice.
Organizations are using threat modeling as a way to bring together developers, testers, security engineers, and business owners to understand the risks and threats associated with their data, organization, and user community, in an effort to factor in security from the beginning of the software development lifecycle.
As threat modeling methodologies evolve in response to more use and application from the community, security professionals are recognizing that choosing the right methodology for your organization leads to wider adoption and better results.
No matter what methodology you use, a threat model will seek to answer four basic questions:
- What are we building?
- What could go wrong?
- How are we going to respond to something going wrong?
- Did we do a good enough job?
Let’s take a look at four different methodologies and assess their strengths and weaknesses.
STRIDE, Microsoft’s threat modeling methodology, is the oldest, most well-documented, and most mature methodology. It was developed to help ensure developers of Microsoft software think about security during the design phase. As such, STRIDE is highly development-focused.
STRIDE stands for Spoofing Tampering Repudiation, Information Disclosure, Denial of Service and Elevation of Privilege, and it tries to map security principles of the CIA triad to architecture and data-flow diagrams. Once a team constructs a data-flow diagram, engineers check the application against the STRIDE classification scheme. The outputs show threats and risks and are derived right from design diagrams as part of the development process.
The Process for Attack Simulation and Threat Analysis, or PASTA, is a seven-step process for risk analysis that is attacker-focused. The goal of this methodology is to align business objectives with technical requirements while taking into account business impact analysis and compliance requirements.
The process focuses on assets to evaluate risk with regard to impact to the business. PASTA threat modeling works best for organizations that wish to align threat modeling with strategic objectives because it incorporates business impact analysis.
Trike is a compliance-focused threat modeling process focused on satisfying the security auditing requirements. Trike focuses on a requirements model that assigns acceptable levels of risks to each asset.
Once in place, the team creates data flow diagrams and threats are enumerated with appropriate risk values. Users then build mitigating controls and prioritize threats. Due to requiring the team to understand the entire system, it can be a challenge to apply this process to large-scale systems.
The Visual, Agile, and Simple Threat modeling methodology scales the threat modeling process across the infrastructure for the entire software development lifecycle, integrating with agile and DevOps practices. VAST is enterprise-focused and provides actionable outputs for the different needs of every stakeholder.
Because developers’ security concerns will be different from the infrastructure team’s, VAST allows teams to create either process flow diagrams mapping out the application, or operational threat models showing data flow.
Select What’s Right for You
Choosing the right methodology is a combination of finding what works for your SDLC maturity and ensuring the methodology results in the desired outputs. While all threat modeling methodologies are capable of identifying potential threats, the quality, quantity, and consistency may vary.