Meta Threat Modeling
Meta Threat Modeling applies Threat Modeling techniques to Threat Modeling itself. It makes our Threat Modeling efforts more effective, efficient and satisfying. It can also threat model other aspects of a security program.
More than retrospectives ("Did we do a good job?"), it foresees threats to our Threat Modeling efforts and tames them, before they become real problems.
The method can be executed in two fashions that inspire each other:
- In a generic view, we threat model the Threat Modeling efforts of "any" vendor. We reduce assumptions, so that the analysis fits many vendors.
- In a specific view, we take a close look at our specific Threat Modeling program. We incorporate all the details, even team structures and cultural aspects, so that the analysis fits our circumstances perfectly.
The following survey collects resources on Meta Threat Modeling, including Meta Threat Models. It will be updated to be the goto-portal for the topic.
It is presented in a chronological order. Later entries may or may not have known the previous ones.
Threat Modeling Lessons
from Star Wars (IT-SECX 2019 Keynote)
Recording published 2019-11-12, by Adam Shostack
...has "Top Ten Lessons", presented in a "Trap" → "Fix" style.
The 10 Traps
- "Think like an attacker"
- "You're never done Threat Modeling"
- "The way to threat model is..."
- Threat Modeling as one skill
- Threat Modeling is easy
- Threat Modeling is for specialists
- The wrong focus
- Straining against the supply chain
- Laser-like focus on threats
- Threat model at the wrong time
The Threat Modeling Manifesto
Published 2020-11-17 by Zoe Braiterman, Adam Shostack, Jonathan Marcil, Stephen de Vries, Irene Michlin, Kim Wuyts, Robert Hurlbut, Brook S.E. Schoenfield, Fraser Scott, Matthew Coles, Chris Romeo, Alyssa Miller, Izar Tarandach, Avi Douglen, Marc French
The Threat Modeling Manifesto can easily be interpreted as a generic Meta Threat Modeling threat/mitigation collection.
It has values (X over Y), patterns and anti-patterns.
Reversing the values (Y over X) may harm the success of the Threat Modeling program and can be articulated as a threat. Example: The opposite of "Doing threat modeling over talking about it" is a place that talks meta all the time, but doesn't act.
The patterns can be viewed as mitigations with their opposite as a threat. Example: "Varied Viewpoints" is a mitigation for missing crutial threats because of lonely riding.
Anti-patterns are a threat and the mitigation is provided. Example: "Admiration for the Problem" with the fix "Go beyond just analyzing the problem; reach for practical and relevant solutions".
Threat Modeling Capabilities
Published 2024-01-11 by Kim Wuyts, Matthew Coles, Sarah-Jane Madden, Avi Douglen, Zoe Braiterman, Izar Tarandach, Adam Shostack, Robert Hurlbut, Irene Michlin, Stephen de Vries, Fraser Scott, Sebastien Deleersnyder, Jonathan Marcil, Brook S.E. Schoenfield, Chris Romeo
... "provides a catalog of capabilities to help you cultivate value from your Threat Modeling practice." The absence of these capabilities and the associated damage to effectiveness, efficency and satisfaction with the Threat Modeling program can be interpreted as a threat. The capability is the mitigation.
DevSecOps Worst Practices
Recording published 2024-01-13, by Tanya Janca
... features 15 "Worst Practices" with solutions in the context of DevSecOps. It is a lot about Developer ⇆ Security interactions and a healthy DevSecOps.
The 15 Worst Practices
- The boy who cried wolf...
- Untested tools
- Artificial gates
- Missing test results
- Run away tests
- Impossible SLAs
- Untrained staff
- Forgotten bugs
- No positive reinforcement
- Only worrying about YOUR part!
- Multiple bug trackers
- Insecure SDLC
- Overly permissive CI/CD
- Automation ONLY in the CI/CD
- Hiding mistakes and errors
The ⛈️☂️(⛈️☂️) Threat Modeling of Threat Modeling #meta
First published 2024-02-24 by Hendrik Ewerlin with feedback & inspiration from Axel Schreiber, Izar Tarandach, Kim Wuyts, Avi Douglen, Matthew Coles, Irene Michlin, Adam Shostack, Chris Romeo, Robert Hurlbut and others
... is a comprehensive generic Meta Threat Modeling analysis. It is the first to explicitly introduce meta "Threat" and "Mitigation" terminology in the context of a Threat Modeling program. It has more than 100 threats and associated mitigations.
Threat Modeling of Threat Modeling Application Security Podcast Episode
Published 2024-03-05 with Robert Hurlbut, Hendrik Ewerlin, Chris Romeo (ordered like in the picture)
... discusses the inspiration behind the ⛈️☂️(⛈️☂️) Threat Modeling of Threat Modeling #meta project and some of it's contents.
Topics discussed in this episode
- Hendrik's security origin story
- What makes threat modeling a success?
- Why do vendors totally need threat modeling?
- Struggles when introducing threat modeling
- Motivation behind the project
- VISUS journey
- Generalized, extended and published analysis for a public audience
- How this project might help practicioners get inspired and build better threat modeling programs
- How to threat-model a process?
- Why add phase 0 "How do we threat-model?"
- Some challenges of getting started
- Discussing some of the first topics of the analysis:
- 0️⃣ 🧩 Develop software without threat modeling (May serve as motivation): [0.1] ⛈️ [0.1.1] Blindness, ⛈️ [0.1.2] Insecurity, ⛈️ [0.1.3] Actual Damage
- 🧩 Design Threat Modeling process (how) [0.3]: ⛈️ [0.3.2] Perfect process trap, ⛈️ [0.3.6] Non-actionable process
- 🧩 Train and Launch Threat Modeling program [0.5]: ⛈️ [0.5.1] Lack of training, ⛈️ [0.5.2] Too theoretical training
- 🧩 Catch up on threat models for existing products [1.1]: ⛈️ [1.1.1] Threat modeling a “giant”
- 🧩 Threat model new developments [1.2]: ⛈️ [1.2.1] Outdated threat models, ⛈️ [1.2.4] Mitigation debt / Security later & “later=never” anti-pattern
- (Not covering anything from 2️⃣ “What can go wrong?” Phase / 3️⃣ “What are we going to do about it?” Phase / 4️⃣ “Did we do a good (enough) job?” Phase / *️⃣ Overarching aspects. The goal of the podcast episode was to introduce the project.)
- Call to Action from Chris and Hendrik: Please read, get inspired and give feedback!
- Lightning round
Meta Threat Modeling Threat Modeling Connect Community Meetup
Hosted 2024-08-23 by Hendrik Ewerlin
... presented Meta Threat Modeling in a Community Meetup. It tried the method in interactive Meta Threat Modeling live sessions with small groups. It introduced the category "Meta Threat Modeling".
[Video recording] [Slide Deck] [Exercise Results after 22min]
Topics discussed in this Meetup
- Basics of threat modeling
- Why not apply threat modeling to threat modeling itself and foresee and mitigate threats before they become real problems?
- Meta Threat Modeling
- How to threat model a process: Usability Threat Modeling and the BIF threat categories
- System diagram of the ⛈️☂️(⛈️☂️) Threat Modeling of Threat Modeling #meta
- Rough overview: 🧩 Discover threats [2.1]
- Example threat: ✨⛈️ [2.1.3] Hard threat discovery
- Differences between threat modeling generic threat modeling and your own
- Breakout sessions, where participants got to threat model their own threat modeling, supported by a simple Mural board and awesome and engaged facilitators
- Insight sharing
The 🙂
Fortunately
⇆ 🙁 Unfortunately of 🙂 Fortunately ⇆ 🙁 Unfortunately
#meta
Published 2024-07-23 by Hendrik Ewerlin
... examines the Fortunately Unfortunately method of Threat Modeling in it's own style.
Security Champion Worst Practices (NDC Security 2025)
Recording published 2025-03-25, by Tanya Janca
... features 11 "Worst Practices" with solutions in the context of building a Security Champions program.
The 11 Worst Practices
- Unmaintainable pace
- Unclear responsibilities
- Unvoluntary volunteers
- Failures in recruitment
- Unrealistic responsibilities
- No top-down support
- Lack of metrics
- Poor educational planning
- Unmotivated champions
- Poor social settings
- High turnover