Threat modelling
Last updated: 13 September 2023
Effectively understanding and communicating the potential attack vectors for our systems enables the Home Office to develop more secure applications and implement proportionate security. Threat modelling is an approach to identifying threats to a system so that appropriate security controls can be prioritised for implementation to mitigate risks.
There are a number of approaches to threat modelling of varying scope and involvement. This pattern suggests a few ways that teams can start to incorporate threat modelling into their activities.
Solution
Engineering teams should incorporate collaborative threat modelling with a ‘little and often’ approach. Don’t get bogged down with large upfront models, start by applying modelling to any changes to architecture or the introduction of new features.
-
In design sessions, use architecture and design diagrams to ask 4 key questions
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
-
STRIDE is a common approach to use when getting started with threat modelling, focussing on six main categories. This is a light framework that helps teams to start thinking about how they identify threats
-
OWASP has published a threat modelling cheatsheet and other resources for more structured threat modelling processes. Teams can use these to inform their approaches as they mature
-
Once threat modelling has been used to identify potential threats, ensure that mitigation actions are agreed, prioritised and added to backlogs, so that those actions can be progressed and their success tracked
Considerations
-
You do not need to be a security expert to do threat modelling, and the process does not need to be fully comprehensive to bring value, in fact attempting to build the ‘perfect’ threat model is often counterproductive
-
Security is everyone’s responsibility. While it is a useful opportunity to engage security colleagues in threat modelling activities, it is not essential. Value is brought from the process when the whole team is involved
-
As engineers, our instinct is to focus on the technology. It is ok to be technology driven when doing threat modelling, but don’t forget to think about potential threats from people and process
-
Good architecture diagrams really help to make threat modelling a straightforward process. Keep diagrams simple (C4 modelling is a good starting point)