This is a 2D presentation
(→ chapters / ↓ slides of that chapter)

  • Move on: Space
  • 2D-Navigation: Arrows
  • Overview: Escape
  • Fullscreen: F

built with reveal.js

This talk was recorded.

Watch the recording on YouTube.

Let's build secure systems!

Is your threat modeling program a success?

Take Home Message Preview

  1. We can threat model all kinds of things - including processes.
  2. The threat modeling of threat modeling
    threat modeled threat modeling.
  3. You can threat model your program, too!

Agenda for today

  1. Threat Modeling
  2. Threat Modeling of Threat Modeling
  3. Threat Modeling of your Threat Modeling

Hendrik Ewerlin

https://hendrik.ewerlin.com/security/

  • empowers people to build secure systems
  • Developer → Cyber Security Architect
    at since 2010
  • likes TM + E2EE + human-centered security
  • likes philosophy + quotes + everyday wisdom


Threat Modeling

secure = protected from danger

danger = possibility of harm occurring

protection = likelihood ↓ / harm ↓

Shostack's
4 Question Frame
for Threat Modeling

  1. What are we working on?
  2. What can go wrong?
  3. What are we going to do about it?
  4. Did we do a good (enough) job?

( )
Meta Threat Modeling

Idea

Let's apply threat modeling
to threat modeling itself!

This is not about attacks.

It is about success of a process.

How to
threat model
a process

Usability
(ISO 9241-11:2018)

≈ how well your offer helps people
achieve their goals

Success

  1. Effectiveness:
    achieved the goal
  2. Efficiency:
    quality ↑ cost ↓
  3. Satisfaction:
    🥰

Harm

  1. Effectiveness Blocker:
    failed / stuck
  2. Efficiency Inefficiency:
    💰💰💰 → 💩
  3. Satisfaction Frustration:
    ☹️

(ISO 9241-11:2018 quotes)

  • "Usability = extent to which a system, product or service can be used by specified users to achieve specified goals with effectiveness, efficiency and satisfaction in a specified context of use"
  • "Effectiveness = accuracy and completeness with which users achieve specified goals"
  • "Efficiency = resources used in relation to the results achieved"
  • "Satisfaction = extent to which the user's physical, cognitive and emotional responses that result from the use of a system, product or service meet the user’s needs and expectations"
  1. What do people want?
  2. What do we offer to support this?
  3. What can go wrong?
  4. What are we going to do about it?
Threat modelers want to ...
  • secure the system.
  • threat model "the right thing".
  • find relevant threats.
  • find appropriate mitigations.
  • see mitigations implemented.
  • [...]

We offer a process / program.

Will they achieve their goals?

( )
Threat Modeling
of Threat Modeling
#meta

The project
( ) Threat Modeling
of Threat Modeling #meta

threat modeled threat modeling.

Generic

  • targets "vendors wanting to succeed with their threat modeling program".
  • assumes Shostack's 4 Questions approach.

+ Question 0

  • can't assume everyone threat models already
  • adds question 0: How do we threat model?

( )
Threat Modeling
YOUR
Threat Modeling

Threat Sources

  • We + others
  • Lessons learned + foreseen threats
  • Do generic threats apply to us?

Generic → Specific

  • Generic activities → actual selected tools
  • Generic actor → actual people and teams

Take Home Message

  1. We can threat model all kinds of things - including processes.
  2. The threat modeling of threat modeling
    threat modeled threat modeling.
  3. You can threat model your program, too!
    ... And this is what we do now!

( )
Interactive Sessions

Now

  • We meet in breakout rooms.
  • Rooms have facilitators who lead the discussion and share their screen.
    (Thanks - Laura, Mila, Maria, Lilith, Amit, Lars-Christian, Claire & James!)
  • Together, we threat model threat modeling!

Breakout Session Board

Prompts

  1. When we threat model... What can go wrong? What are we going to do about it?
  2. More specific:
    • When we start out...
    • When we discover threats...
    • When we plan mitigations...
    • When threat modelers communicate...
  3. What didn't work? How did you fix it?

Session facilitators

(not in the presented slide deck)

Let's go!

▶️ Breakout Sessions

Results

The following slide has results after 22 minutes of collaborative Meta Threat Modeling in small groups. Zoom in to explore.

(not in the presented slide deck)

Final

Insight sharing

  1. What have you learned methodically?
  2. What was a remarkable threat?

Take Home Message

  1. We can threat model all kinds of things - including processes.
  2. The threat modeling of threat modeling
    threat modeled threat modeling.
  3. You can threat model your program, too!

Let's build secure systems!

More from Shuning

Outtake

0. How do we threat model?

“The biggest threat for threat modeling is not doing it.”

- Izar Tarandach

Why threat model?

  • [0.1.1] Blindness
  • [0.1.2] Insecurity
  • [0.1.3] Actual Damage

Outtake

1. What are we working on?

Outtake

2. What can go wrong?

"Was blind, but now I see..."

  • [2.1.1] Blind spot
  • [2.1.2] Blind area
  • [2.1.2b] Threat FOMO (fear of missing out)
  • [2.1.3] Hard threat discovery

Relevance

  • [2.1.6] Irrelevant threats
  • [2.1.7] Loss of big picture

Outtake

3. What are we going to do about it?

Too weak?

  • [3.1.4] Single underestimated risk
  • [3.1.5] All-acceptable bias
  • [3.2.3] Mitigation underkill
  • [3.2.8] Too much confidence in a particular mitigation

Too strong?

  • [3.1.6] Single overestimated risk
  • [3.1.7] All-critical bias
  • [3.2.1] Unfeasible / high effort mitigations

"Es gibt nichts Gutes,
es sei denn, man tut es."

  • [3.3.3] Undone mitigation
  • [3.3.2] Security theater

Outtake

4. Did we do a good job?

[4.4.2] Local learnings?

Share!