Each software program group ought to attempt for excellence in constructing safety into their utility and infrastructure. Inside Thoughtworks, we have now lengthy sought accessible approaches to menace modeling. At its coronary heart, menace modeling is a risk-based strategy to designing safe techniques by figuring out threats frequently and growing mitigations deliberately. We imagine efficient menace modeling ought to begin easy and develop incrementally, somewhat than counting on exhaustive upfront evaluation. To exhibit this in observe, we start with outlining the core insights required for menace modeling. We then dive into sensible menace modeling examples utilizing the STRIDE framework.
Breaking Down the Fundamentals
Begin out of your Dataflows
At the moment’s cyber threats can appear overwhelming. Ransomware, provide chain
assaults, backdoors, social engineering – the place ought to your group start?
The assaults we examine in breach reviews typically chain collectively in
surprising and chaotic methods.
The important thing to chopping by complexity in menace modeling lies in tracing how knowledge strikes by your expertise stack. Begin with following the place the information enters your boundary. Usually, it might be through person interfaces, APIs, message queues, or mannequin endpoints. Dive into getting a deeper understanding of the way it flows between providers, by knowledge shops, and throughout belief boundaries by built-in techniques.
This concrete structure of the information circulation between techniques would rework imprecise worries, corresponding to, “Ought to we fear about hackers?” into particular actionable questions. For instance, “What occurs if this API response is tampered with?” or “What if this mannequin enter is poisoned?”.
The Crux to Figuring out Threats
From there on, figuring out threats can grow to be deceptively easy: comply with every one of many knowledge flows and ask “What can go flawed?”. You may discover that this straightforward query will result in complicated technical and socio-behavioural evaluation that may problem your unconscious assumptions. It’s going to pressure you to pivot from considering “how system works” to “how system fails”, which in essence is the crux of menace modeling.
Let’s strive it. We have now an API for a messaging service that accepts two inputs: a message and the recipient’s ID, which then delivers the message to all inside workers. Observe by the carousel under to see how threats seem even this straightforward knowledge circulation.
Like illustrated within the carousel above, even a easy dataflow may warrant potential threats and trigger havoc massively. By layering the query “What can go flawed?”, we have now been capable of expose this attitude that will in any other case stay hidden. The essence of doing this at this small scale results in including applicable protection mechanisms incrementally inside each knowledge circulation and due to this fact construct a safe system.
STRIDE as a Sensible Help
Brainstorming threats can grow to be open-ended with out structured frameworks to information your considering. As you comply with key knowledge flows by your system, use STRIDE to turbocharge your safety considering. STRIDE is an acronym and mnemonic to assist keep in mind six key data safety properties, so you possibly can methodically establish frequent safety vulnerabilities. Mentally verify every one off every time you think about a knowledge circulation:
- Spoofed identification: Is there Authentication? Ought to there be? – Attackers pretending to be professional customers by stolen credentials, phishing, or social engineering.
- Tampering with enter: What about nasty enter? – Attackers modifying knowledge, code, or reminiscence maliciously to interrupt your system’s belief boundaries.
- Repudiation: Does the system present who’s accountable? – When one thing goes flawed, are you able to show which person carried out an motion, or may they plausibly deny accountability as a consequence of inadequate audit trails?
- Information disclosure: Is delicate knowledge inappropriately uncovered or unencrypted? – Unauthorized entry to delicate knowledge by poor entry controls, cleartext transmission, or inadequate knowledge safety.
- Denial of service: What if we smash it? – Assaults aiming at making the system unavailable to professional customers by flooding or breaking essential elements.
- Elevation of privilege: Can I bypass Authorization? Transfer deeper into the system? – Attackers gaining unauthorized entry ranges, acquiring larger permissions than meant, or transferring laterally by your system.
We use these STRIDE playing cards internally throughout menace modeling periods both as printed playing cards or have them on display screen. One other wonderful means to assist brainstorm, is to make use of GenAI. You do not want any fancy device simply immediate utilizing a standard chat interface. Give some context on the dataflow and inform it to make use of STRIDE- more often than not you will get a extremely useful checklist of threats to contemplate.
Work ‘Little and Typically’
When you get the hold of figuring out threats, it is tempting to prepare a
full-day workshop to “menace mannequin” each dataflow in your total syste
directly. This big-bang strategy typically overwhelms groups and infrequently sticks as a constant
observe. As a substitute, combine menace modeling repeatedly, like steady integration for safety.
The simplest menace modeling occurs in bite-sized chunks,
carefully tied to what your group is engaged on proper now. Spending fifteen
minutes inspecting the safety implications of a brand new function can yield
extra sensible worth than hours analyzing hypothetical eventualities for
code that isn’t written but. These small periods match naturally into
your current rhythms – maybe throughout dash planning, design
discussions, and even day by day standups.
This “little and sometimes” strategy brings a number of advantages. Groups
construct confidence steadily, making the observe much less daunting. You focus
on instant, actionable considerations somewhat than getting misplaced in edge
circumstances. Most significantly, menace modeling turns into a pure a part of how
your group thinks about and delivers software program, somewhat than a separate
safety exercise.
It is a Crew Sport!
Efficient menace modeling attracts energy from various views.
Whereas a safety specialist may spot technical vulnerabilities, a
product proprietor may establish enterprise dangers, and a developer may see
implementation challenges. Every viewpoint provides depth to your
understanding of potential threats.
This doesn’t suggest you want formal workshops with the whole
group. A fast dialog by the group’s whiteboard could be simply
as worthwhile as a structured session. What issues is bringing totally different
viewpoints collectively – whether or not you are a small group huddled round a
display screen, or collaborating remotely with safety specialists.
The aim is not simply to seek out threats – it is to construct shared
understanding. When a group menace fashions collectively, they develop a typical
language for discussing safety. Builders study to suppose like
attackers, product homeowners perceive safety trade-offs, and safety
specialists achieve perception into the system’s internal workings.
You do not want safety experience to start out. Recent eyes typically spot
dangers that specialists may miss, and each group member brings worthwhile
context about how the system is constructed and used. The bottom line is creating an
setting the place everybody feels comfy contributing concepts, whether or not
they’re seasoned safety professionals or fully new to menace
modeling.
Fast Crew Menace Modeling
Method and Preparation
A fast whiteboard session throughout the group offers an accessible
start line for menace modeling. Moderately than trying exhaustive
evaluation, these casual 15-30 minute periods deal with inspecting
instant safety implications of options your group is at the moment
growing. Let’s stroll by the steps to conduct one with an instance.
As an instance, a software program group is engaged on an order
administration system, and is planning an epic, the place retailer assistants can
create and modify buyer orders. This can be a good scope for a menace modeling session. It’s targeted on a single function with
clear boundaries.
The session requires participation from growth group members, who can elaborate the technical implementation.
It is nice to get attendance from product homeowners, who know the enterprise context, and safety specialists, who can present worthwhile enter
however do not must be blocked by their unavailability. Anybody concerned in constructing or supporting the function, such because the testers or
the enterprise analysts too, ought to be inspired to hitch and contribute their perspective.
The supplies wanted are simple:
a whiteboard or shared digital canvas, totally different coloured markers for drawing elements, knowledge flows, and sticky notes for capturing threats.
As soon as the group is gathered with these supplies, they’re able to ‘clarify and discover’.
Clarify and Discover
On this stage, the group goals to realize a typical understanding of the system from totally different views earlier than they begin to establish threats.
Usually, the product proprietor begins the session with an elaboration of the practical flows highlighting the customers concerned.
A technical overview from builders follows after with them additionally capturing the low-level tech diagram on the whiteboard.
Right here could be place to place these coloured markers to make use of to obviously classify totally different inside and exterior techniques and their boundaries because it helps in figuring out threats significantly in a while.
As soon as this low-level technical diagram is up, the entities that result in monetary loss, fame loss, or that leads to authorized disputes are highlighted as ‘belongings’ on the whiteboard earlier than
the ground opens for menace modeling.
A labored instance:
For the order administration scope — create and modify orders — the product proprietor elaborated the practical flows and recognized key enterprise belongings requiring safety. The circulation begins with the customer support government or the shop assistant logging within the internet UI, touchdown on the house web page. To switch the order, the person must search the order ID from the house web page, land on the orders web page, and alter the main points required. To create a brand new order, the person must use the create order web page by navigating from the house web page menu. The product proprietor emphasised that buyer knowledge and order data are essential enterprise belongings that drive income and preserve buyer belief, significantly as they’re lined by GDPR.
The builders walked by the technical elements supporting the practical circulation.
They famous an UI element, an authentication service, a buyer database, an order service and the orders database.
They additional elaborated the information flows between the elements.
The UI sends the person credentials to the authentication service to confirm the person earlier than logging them in,
after which it calls the order service to carry out /GET, /POST,
and /DELETE operations to view, create and delete orders respectively.
Additionally they famous the UI element because the least trusted because it’s uncovered to exterior entry throughout these discussions.
The carousel under exhibits how the order administration group went about capturing the low-level technical diagram step-by-step on the whiteboard:
All through the dialogue, the group members have been inspired to level out lacking components or corrections.
The aim was to make sure everybody understood the correct illustration of how the system labored earlier than diving into menace modeling.
As the following step, they went on to figuring out the essential belongings that want safety primarily based on the next logical conclusions:
- Order data: A essential asset as tampering them may result in loss in gross sales and broken fame.
- Buyer particulars: Any publicity to delicate buyer particulars may end in authorized points beneath privateness legal guidelines.
With this concrete structure of the system and its belongings, the group went on to brainstorming threats instantly.
Establish Threats
Within the whiteboarding format, we may run the blackhat considering session as follows:
- First, distribute the sticky notes and pens to everybody.
- Take one knowledge circulation on the low-level tech diagram to debate threats.
- Ask the query, “what may go flawed?” whereas prompting by the STRIDE menace classes.
- Seize threats, one per sticky, with the mandate that the menace is particular corresponding to “SQL injection from
Web” or “No encryption of buyer knowledge”. - Place stickies the place the menace may happen on the information circulation visibly.
- Maintain going till the group runs out of concepts!
Keep in mind, attackers will use the identical knowledge flows as professional customers, however in surprising methods.
Even a seemingly easy knowledge circulation from an untrusted supply may cause important havoc, and due to this fact, its important to cowl all the information flows earlier than you finish the session.
A labored instance:
The order administration group opened the ground for black hat considering after figuring out the belongings. Every group member was
inspired to suppose like a hacker and provide you with methods to assault the belongings. The STRIDE playing cards have been distributed as a precursor.
The group went forward and flushed the board with their concepts freely with out debating if one thing was actually a menace or not for now,
and captured them as stickies alongside the information flows.
Strive arising with a listing of threats primarily based on the system understanding you’ve to date.
Recall the crux of menace modeling. Begin considering what can go flawed and
cross-check with the checklist the group got here up with. You will have recognized
extra as nicely. 🙂
The carousel right here exhibits how threats are captured alongside the information flows on the tech diagram because the group brainstorms:
The group flooded the whiteboard with many threats as stickies on the respective knowledge flows much like these depicted within the carousel above:
| Class | Threats |
|---|---|
|
Spoofed identification |
1. Social engineering tips might be performed on the customer support
2. The shop assistant may overlook to log off, and anybody within the retailer |
|
Tampering with inputs |
3. The attacker may pay money for the order service endpoints from any open
4. Code injection might be used whereas inserting an order to hijack buyer |
|
Repudiation of actions |
5. Builders with manufacturing entry, once they discover on the market aren’t any logs |
|
Info disclosure |
6. If the database is attacked through a again door, all the knowledge it holds
7. Stealing passwords from unencrypted logs or different storage would allow
8. The customer support government or retailer assistant doesn’t have any
9. The /viewOrders endpoint permits any variety of data to be returned. |
|
Denial of service |
10. The attacker may carry out a Distributed Denial of Service (DDoS) assault and convey down the order |
|
Elevation of privileges |
11. If an attacker manages to pay money for the credentials of any developer with admin rights, they might add new customers or elevate the privileges of current |
NOTE: This train is meant solely to get you acquainted with the
menace modeling steps, to not present an correct menace mannequin for an
order administration system.
Later, the group went on to debate the threats one after the other and added their factors to every of them. They observed a number of design flaws, nuanced
permission points and likewise famous to debate manufacturing privileges for group members.
As soon as the dialogue delved deeper, they realized most threats appeared essential and that they should prioritize with a view to
deal with constructing the best defenses.
Prioritize and Repair
Time to show threats into motion. For every recognized menace,
consider its danger by contemplating chance, publicity, and impression. You
may also attempt to provide you with a greenback worth for the lack of the
respective asset. Which may sound daunting, however you simply have to suppose
about whether or not you’ve got seen this menace earlier than, if it is a frequent sample
like these within the OWASP Prime 10, and the way uncovered your system is. Think about
the worst case situation, particularly when threats may mix to create
greater issues.
However we aren’t executed but. The aim of menace modeling is not to
instill paranoia, however to drive enchancment. Now that we have now recognized the highest
threats, we should always undertake day-to-day practices to make sure the suitable protection is constructed for them.
Among the day-to-day practices you possibly can use to embue safety into are:
- Add safety associated acceptance standards on current person tales
- Create targeted person tales for brand new security measures
- Plan spikes when that you must examine options from a safety lens
- Replace ‘Definition of Achieved’ with safety necessities
- Create epics for main safety structure adjustments
Keep in mind to take a photograph of your menace modeling diagram, assign motion objects to the product proprietor/tech lead/any group member to get them into the backlog as per one of many above methods.
Maintain it easy and use your regular planning course of to implement them. Simply tag them as ‘security-related’ so you possibly can monitor their progress consciously.
A labored instance:
The order administration group determined to deal with the threats within the following methods:
1. including cross-functional acceptance standards throughout all of the person tales,
2. creating new safety person tales and
3. following safety by design rules as elaborated right here:
| Threats | Measures |
|---|---|
|
Any unencrypted delicate data within the logs, transit, and the database at relaxation is susceptible for assaults. |
The group determined to deal with this menace by including a cross-functional
“All delicate data corresponding to order knowledge, buyer knowledge, entry |
|
Unprotected Order service APIs may result in publicity of order knowledge. |
Though the person needs to be logged in to see the orders (is “GIVEN any API request is shipped to the order service WHEN there isn’t any legitimate auth token for the present person included within the request THEN the API request is rejected as unauthorized.”
This can be a essential structure change as they should implement a |
|
Login credentials of retailer assistants and customer support executives are susceptible to social engineering assaults. |
Provided that there are important penalties to the lack of login
Together with these particular actions, the group staunchly determined to comply with |
Platform focussed menace mannequin workshop
Method and Preparation
There are occasions when safety calls for a bigger, extra cross-programme, or
cross-organizational effort. Safety points typically happen on the boundaries
between techniques or groups, the place tasks overlap and gaps are typically
missed. These boundary factors, corresponding to infrastructure and deployment
pipelines, are essential as they typically grow to be prime targets for attackers as a consequence of
their excessive privilege and management over the deployment setting. However when a number of groups are concerned,
it turns into more and more arduous to get a complete view of vulnerabilities throughout the
total structure.
So it’s completely important to contain the best individuals in such cross-team menace modeling workshops. Participation from platform engineers, utility builders, and safety specialists goes to be essential. Involving different roles who carefully work within the product growth cycle, such because the enterprise analysts/testers, would assure a holistic view of dangers too.
Here’s a preparation package for such cross group menace modeling workshops:
- Collaborative instruments: If operating the session remotely, use instruments like Mural,
Miro, or Google Docs to diagram and collaborate. Guarantee these instruments are
security-approved to deal with delicate data. - Set a manageable scope: Focus the session on essential elements, corresponding to
the CI/CD pipeline, AWS infrastructure, and deployment artifacts. Keep away from attempting
to cowl the whole system in a single session—timebox the scope. - Diagram forward of time: Think about creating primary diagrams asynchronously
earlier than the session to avoid wasting time. Guarantee everybody understands the diagrams and
symbols prematurely. - Maintain the session concise: Begin with 90-minute periods to permit for
dialogue and studying. As soon as the group beneficial properties expertise, shorter, extra frequent
periods could be held as a part of common sprints. - Engagement and facilitation: Be sure everybody actively contributes,
particularly in distant periods the place it is simpler for contributors to disengage.
Use icebreakers or easy safety workout routines to start out the session. - Prioritize outcomes: Refocus the discussions in direction of figuring out actionable safety tales as it’s the major end result of the workshop.
Put together for documenting them clearly. Establish motion homeowners so as to add them to their respective backlogs. - Breaks and timing: Plan for further breaks to keep away from fatigue when distant, and make sure the session finishes on time with clear, concrete
outcomes.
Clarify and Discover
We have now a labored instance right here the place we deal with menace modeling the infrastructure
and deployment pipelines of the identical order administration system assuming it’s hosted on AWS.
A cross practical group comprising of platform engineers, utility builders, and safety
specialists was gathered to uncover the entire localized and systemic vulnerabilities.
They started the workshop with defining the scope for menace modeling clearly to everybody. They elaborated on the varied customers of the system:
- Platform engineers, who’re accountable for infrastructure administration, have privileged entry to the AWS Administration Console.
- Utility builders and testers work together with the CI/CD pipelines and utility code.
- Finish customers work together with the appliance UI and supply delicate private and order data whereas inserting orders.
The group then captured the low-level technical diagram exhibiting the CI/CD pipelines, AWS infrastructure elements, knowledge flows,
and the customers as seen within the carousel under.
The group moved on to figuring out the important thing belongings of their AWS-based supply pipeline primarily based on the next conclusions:
- AWS Administration Console entry: Because it offers highly effective capabilities for infrastructure administration together with IAM configuration,
any unauthorized adjustments to core infrastructure may result in system-wide vulnerabilities and potential outages. - CI/CD pipeline configurations for each utility and infrastructure pipelines:
Tampering with them may result in malicious code transferring into manufacturing, disrupting the enterprise. - Deployment artifacts corresponding to utility code, infrastructure as code for S3 (internet hosting UI), Lambda (Order service), and Aurora DB:
They’re delicate IP of the group and might be stolen, destroyed or tampered with, resulting in lack of enterprise. - Authentication service: Because it permits interplay with the core identification service,
it may be abused for gaining illegitimate entry management to the order administration system. - Order knowledge saved within the Aurora database: Because it shops delicate enterprise and buyer data, it may possibly result in lack of enterprise fame when breached.
- Entry credentials together with AWS entry keys, database passwords, and different secrets and techniques used all through the pipeline:
These can be utilized for unwell intentions like crypto mining resulting in monetary losses.
With these belongings laid on the technical diagram, the group placed on their “black hat” and began enthusiastic about how an attacker may exploit the
privileged entry factors of their AWS setting and the application-level elements of their supply pipeline.
Establish Threats
The group as soon as once more adopted the STRIDE framework to immediate the dialogue
(refer labored instance beneath ‘Fast Crew Menace Modeling’ part above for STRIDE framework elaboration) and captured all their
concepts as stickies. This is is the checklist of threats they recognized:
| Class | Threats |
|---|---|
|
Spoofed identification |
1. An attacker may use stolen platform engineer credentials to entry the AWS
2. Somebody may impersonate an utility developer in GitHub to inject |
|
Tampering with inputs |
3. An attacker may modify infrastructure-as-code recordsdata within the GitHub
4. Somebody may tamper with supply code for the app to incorporate malicious |
|
Repudiation of actions |
5. A platform engineer may make unauthorized adjustments to AWS configurations 6. An utility developer may deploy ill-intended code, if there is no audit path within the CI/CD pipeline. |
|
Info disclosure |
7. Misconfigured S3 bucket permissions may expose the UI recordsdata and
8. Improperly written Lambda features may leak delicate order knowledge by |
|
Denial of service |
9. An attacker may exploit the autoscaling configuration to set off
10. Somebody may flood the authentication service with requests, stopping |
|
Elevation of privilege |
11. An utility developer may exploit a misconfigured IAM function to realize
12. An attacker may use a vulnerability within the Lambda perform to realize broader |
Prioritize and Repair
The group needed to prioritize the threats to establish the best protection measures subsequent. The group selected to vote on threats primarily based on
their impression this time. For the highest threats, they mentioned the protection measures as shopping for secret vaults,
integrating secret scanners into the pipelines, constructing two-factor authentications, and shopping for particular off the shelf safety associated merchandise.
Other than the instruments, additionally they recognized the necessity to comply with stricter practices such because the ‘precept of least privileges’ even throughout the platform group
and the necessity to design the infrastructure elements with nicely thought by safety insurance policies.
Once they had efficiently translated these protection measures as safety tales,
they have been capable of establish the finances required to buy the instruments, and a plan for inside approvals and implementation, which subsequently
led to a smoother cross-team collaboration.
Conclusion
Menace modeling is not simply one other safety exercise – it is a
transformative observe that helps groups construct safety considering into their
DNA. Whereas automated checks and penetration checks are worthwhile, they solely
catch identified points. Menace modeling helps groups perceive and handle evolving
cyber dangers by making safety everybody’s accountability.
Begin easy and hold enhancing. Run retrospectives after a couple of periods.
Ask what labored, what did not, and adapt. Experiment with totally different diagrams,
strive domain-specific menace libraries, and join with the broader menace
modeling group. Keep in mind – no group has ever discovered this “too arduous” when
approached step-by-step.
At minimal, your first session will add concrete safety tales to your
backlog. However the true worth comes from constructing a group that thinks about
safety repeatedly, and never as an afterthought. Simply put aside that first 30
minutes, get your group collectively, and begin drawing these diagrams.
