⛈️☂️(⛈️☂️) Threat Modeling of Threat Modeling #meta

Yes, threat modeling is important, but how can we make it a success? What can go wrong? What are we going to do about it? This project threat models threat modeling #meta.

Threat Model: Latest Version

• Version 1.2.0, 2024-07-09, online, interactive with open/close toggles
• Version 1.2.0, 2024-07-09, PDF export, all details expanded

PDF Version history

• Version 1.0.0, 2024-02-24: First public release
• Version 1.1.0, 2024-02-27: Added the Thanks section
• Version 1.2.0, 2024-07-09: Asorted extensions
  Release notes

  • Improved texts, community feedback, better open/close for introduction
  • Additional video on incremental threat modeling at ⛈️ [1.1.1] Threat modeling a “giant”
  • Beginner resources canvas at ⛈️ [2.1.3] Hard threat discovery
  • +⛈️ [0.1.5] Penetration Test only Application Security
  • +⛈️ [2.1.2b] Threat FOMO (fear of missing out)
  • +⛈️ [2.1.13] Blindness reward / Clarification penalty
  • +⛈️ [3.2.14] Mitigation bypass / Vicious circle of threats introduced by mitigations
  • +⛈️ [3.2.15] Mitigation off switch
  • +⛈️ [4.5.1] Lack of Celebration / Missing out on Joy of Realization (”Verwirklichungsfreude”)

Reception

• Insightful pre-release conversation about the project at the OWASP #threat-modeling slack channel
• Launch post and discussion at the OWASP #threat-modeling slack channel
• Talking about the project at the Application Security Podcast with Chris Romeo and Robert Hurlbut:
  
  
  Topics discussed in this episode

  • Hendrik's security origin story
  • What makes threat modeling a success?
  • Why do vendors totally need threat modeling?
  • Struggles when introducing threat modeling
  • Motivation behind the project
  • VISUS journey
  • Generalized, extended and published analysis for a public audience
  • How this project might help practicioners get inspired and build better threat modeling programs
  • How to threat-model a process?
  • Why add phase 0 "How do we threat-model?"
  • Some challenges of getting started
  • Discussing some of the first topics of the analysis:
  • 0️⃣ 🧩 Develop software without threat modeling (May serve as motivation): [0.1] ⛈️ [0.1.1] Blindness, ⛈️ [0.1.2] Insecurity, ⛈️ [0.1.3] Actual Damage
  • 🧩 Design Threat Modeling process (how) [0.3]: ⛈️ [0.3.2] Perfect process trap, ⛈️ [0.3.6] Non-actionable process
  • 🧩 Train and Launch Threat Modeling program [0.5]: ⛈️ [0.5.1] Lack of training, ⛈️ [0.5.2] Too theoretical training
  • 🧩 Catch up on threat models for existing products [1.1]: ⛈️ [1.1.1] Threat modeling a “giant”
  • 🧩 Threat model new developments [1.2]: ⛈️ [1.2.1] Outdated threat models, ⛈️ [1.2.4] Mitigation debt / Security later & “later=never” anti-pattern
  • (Not covering anything from 2️⃣ “What can go wrong?” Phase / 3️⃣ “What are we going to do about it?” Phase / 4️⃣ “Did we do a good (enough) job?” Phase / *️⃣ Overarching aspects. The goal of the podcast episode was to introduce the project.)
  • Call to Action from Chris and Hendrik: Please read, get inspired and give feedback!
  • Lightning round
  
  
  
  Video podcast version at YouTube
  
  Audio podcast version with all the platform links
• Introducing Meta Threat Modeling together with the ⛈️☂️(⛈️☂️) Threat Modeling of Threat Modeling #meta, combined with lively community discussion, at the Threat Modeling Connect Community Meetup (August 23rd 2024)
  
  
  Topics discussed in this Meetup

  • Basics of threat modeling
  • Why not apply threat modeling to threat modeling itself and foresee and mitigate threats before they become real problems?
  • Meta Threat Modeling
  • How to threat model a process: Usability Threat Modeling and the BIF threat categories
  • System diagram of the ⛈️☂️(⛈️☂️) Threat Modeling of Threat Modeling #meta
  • Rough overview: 🧩 Discover threats [2.1]
  • Example threat: ✨⛈️ [2.1.3] Hard threat discovery
  • Differences between threat modeling generic threat modeling and your own
  • Breakout sessions, where participants got to threat model their own threat modeling, supported by a simple Mural board and awesome and engaged facilitators
  • Insight sharing
  
  
  Video recording at YouTube
  
  Slide deck
  
  Mural board PDF: results after 22 minutes of collaborative Meta Threat Modeling in small groups
  
  Threat Modeling Connect LinkedIn post
  
  Event page which invited to the Meetup

Banner image

Feedback?

Please reach out, so that I can improve this work! https://hendrik.ewerlin.com/security/

A detailed call for feedback is at the bottom of the document.

I'm also working on a Community twin project... Stay tuned!