Each software program group ought to attempt for excellence in constructing safety into their software and infrastructure. Inside Thoughtworks, we have now lengthy sought accessible approaches to menace modeling. At its coronary heart, menace modeling is a risk-based strategy to designing safe methods by figuring out threats frequently and growing mitigations deliberately. We imagine efficient menace modeling ought to begin easy and develop incrementally, moderately than counting on exhaustive upfront evaluation. To reveal this in observe, we start with outlining the core insights required for menace modeling. We then dive into sensible menace modeling examples utilizing the STRIDE framework.
Breaking Down the Fundamentals
Begin out of your Dataflows
Right now’s cyber threats can appear overwhelming. Ransomware, provide chain
assaults, backdoors, social engineering – the place ought to your group start?
The assaults we examine in breach studies typically chain collectively in
surprising and chaotic methods.
The important thing to slicing by way of complexity in menace modeling lies in tracing how knowledge strikes by way of your know-how stack. Begin with following the place the info enters your boundary. Usually, it might be through consumer interfaces, APIs, message queues, or mannequin endpoints. Dive into getting a deeper understanding of the way it flows between providers, by way of knowledge shops, and throughout belief boundaries by way of built-in methods.
This concrete format of the info movement between methods would rework obscure worries, resembling, “Ought to we fear about hackers?” into particular actionable questions. For instance, “What occurs if this API response is tampered with?” or “What if this mannequin enter is poisoned?”.
The Crux to Figuring out Threats
From there on, figuring out threats can change into deceptively easy: observe every one of many knowledge flows and ask “What can go unsuitable?”. You may discover that this straightforward query will result in advanced technical and socio-behavioural evaluation that can problem your unconscious assumptions. It’ll drive you to pivot from pondering “how system works” to “how system fails”, which in essence is the crux of menace modeling.
Let’s attempt it. We now have an API for a messaging service that accepts two inputs: a message and the recipient’s ID, which then delivers the message to all inside workers. Comply with by way of the carousel under to see how threats seem even this straightforward knowledge movement.
Like illustrated within the carousel above, even a easy dataflow may warrant potential threats and trigger havoc massively. By layering the query “What can go unsuitable?”, we have now been capable of expose this angle that might in any other case stay hidden. The essence of doing this at this small scale results in including applicable protection mechanisms incrementally inside each knowledge movement and subsequently construct a safe system.
STRIDE as a Sensible Help
Brainstorming threats can change into open-ended with out structured frameworks to information your pondering. As you observe key knowledge flows by way of your system, use STRIDE to turbocharge your safety pondering. STRIDE is an acronym and mnemonic to assist bear in mind six key data safety properties, so you’ll be able to methodically establish frequent safety vulnerabilities. Mentally examine every one off every time you take into account an information movement:
- Spoofed id: Is there Authentication? Ought to there be? – Attackers pretending to be professional customers by way of stolen credentials, phishing, or social engineering.
- Tampering with enter: What about nasty enter? – Attackers modifying knowledge, code, or reminiscence maliciously to interrupt your system’s belief boundaries.
- Repudiation: Does the system present who’s accountable? – When one thing goes unsuitable, are you able to show which consumer carried out an motion, or may they plausibly deny accountability resulting from inadequate audit trails?
- Information disclosure: Is delicate knowledge inappropriately uncovered or unencrypted? – Unauthorized entry to delicate knowledge by way of poor entry controls, cleartext transmission, or inadequate knowledge safety.
- Denial of service: What if we smash it? – Assaults aiming at making the system unavailable to professional customers by flooding or breaking vital elements.
- Elevation of privilege: Can I bypass Authorization? Transfer deeper into the system? – Attackers gaining unauthorized entry ranges, acquiring larger permissions than supposed, or shifting laterally by way of your system.
We use these STRIDE playing cards internally throughout menace modeling periods both as printed playing cards or have them on display screen. One other smart way to assist brainstorm, is to make use of GenAI. You do not want any fancy device simply immediate utilizing a traditional chat interface. Give some context on the dataflow and inform it to make use of STRIDE- more often than not you will get a very useful listing of threats to think about.
Work ‘Little and Typically’
When you get the hold of figuring out threats, it is tempting to arrange a
full-day workshop to “menace mannequin” each dataflow in your complete syste
directly. This big-bang strategy typically overwhelms groups and barely sticks as a constant
observe. As an alternative, combine menace modeling recurrently, like steady integration for safety.
The best menace modeling occurs in bite-sized chunks,
carefully tied to what your group is engaged on proper now. Spending fifteen
minutes inspecting the safety implications of a brand new function can yield
extra sensible worth than hours analyzing hypothetical eventualities for
code that isn’t written but. These small periods match naturally into
your current rhythms – maybe throughout dash planning, design
discussions, and even day by day standups.
This “little and infrequently” strategy brings a number of advantages. Groups
construct confidence step by step, making the observe much less daunting. You focus
on speedy, actionable considerations moderately than getting misplaced in edge
circumstances. Most significantly, menace modeling turns into a pure a part of how
your group thinks about and delivers software program, moderately than a separate
safety exercise.
It is a Workforce Sport!
Efficient menace modeling attracts energy from numerous views.
Whereas a safety specialist may spot technical vulnerabilities, a
product proprietor may establish enterprise dangers, and a developer may see
implementation challenges. Every viewpoint provides depth to your
understanding of potential threats.
This doesn’t suggest you want formal workshops with your entire
group. A fast dialog by the group’s whiteboard may be simply
as priceless as a structured session. What issues is bringing totally different
viewpoints collectively – whether or not you are a small group huddled round a
display screen, or collaborating remotely with safety consultants.
The aim is not simply to seek out threats – it is to construct shared
understanding. When a group menace fashions collectively, they develop a standard
language for discussing safety. Builders study to suppose like
attackers, product homeowners perceive safety trade-offs, and safety
specialists acquire perception into the system’s interior workings.
You do not want safety experience to begin. Recent eyes typically spot
dangers that consultants may miss, and each group member brings priceless
context about how the system is constructed and used. The bottom line is creating an
atmosphere the place everybody feels snug contributing concepts, whether or not
they’re seasoned safety professionals or fully new to menace
modeling.
Fast Workforce Risk Modeling
Method and Preparation
A fast whiteboard session throughout the group offers an accessible
start line for menace modeling. Moderately than trying exhaustive
evaluation, these casual 15-30 minute periods deal with inspecting
speedy safety implications of options your group is at present
growing. Let’s stroll by way of the steps to conduct one with an instance.
As an instance, a software program group is engaged on an order
administration system, and is planning an epic, the place retailer assistants can
create and modify buyer orders. It is a excellent scope for a menace modeling session. It’s centered on a single function with
clear boundaries.
The session requires participation from growth group members, who can elaborate the technical implementation.
It is nice to get attendance from product homeowners, who know the enterprise context, and safety specialists, who can present priceless enter
however do not need to be blocked by their unavailability. Anybody concerned in constructing or supporting the function, such because the testers or
the enterprise analysts too, ought to be inspired to affix and contribute their perspective.
The supplies wanted are easy:
a whiteboard or shared digital canvas, totally different coloured markers for drawing elements, knowledge flows, and sticky notes for capturing threats.
As soon as the group is gathered with these supplies, they’re able to ‘clarify and discover’.
Clarify and Discover
On this stage, the group goals to achieve a standard understanding of the system from totally different views earlier than they begin to establish threats.
Usually, the product proprietor begins the session with an elaboration of the practical flows highlighting the customers concerned.
A technical overview from builders follows after with them additionally capturing the low-level tech diagram on the whiteboard.
Right here may be an excellent place to place these coloured markers to make use of to obviously classify totally different inside and exterior methods and their boundaries because it helps in figuring out threats drastically in a while.
As soon as this low-level technical diagram is up, the entities that result in monetary loss, status loss, or that ends in authorized disputes are highlighted as ‘property’ on the whiteboard earlier than
the ground opens for menace modeling.
A labored instance:
For the order administration scope — create and modify orders — the product proprietor elaborated the practical flows and recognized key enterprise property requiring safety. The movement begins with the customer support govt or the shop assistant logging within the net UI, touchdown on the house web page. To switch the order, the consumer should search the order ID from the house web page, land on the orders web page, and alter the small print required. To create a brand new order, the consumer should use the create order web page by navigating from the house web page menu. The product proprietor emphasised that buyer knowledge and order data are vital enterprise property that drive income and preserve buyer belief, significantly as they’re lined by GDPR.
The builders walked by way of the technical elements supporting the practical movement.
They famous an UI element, an authentication service, a buyer database, an order service and the orders database.
They additional elaborated the info flows between the elements.
The UI sends the consumer credentials to the authentication service to confirm the consumer earlier than logging them in,
after which it calls the order service to carry out /GET, /POST,
and /DELETE operations to view, create and delete orders respectively.
In addition they famous the UI element because the least trusted because it’s uncovered to exterior entry throughout these discussions.
The carousel under exhibits how the order administration group went about capturing the low-level technical diagram step-by-step on the whiteboard:
All through the dialogue, the group members have been inspired to level out lacking components or corrections.
The aim was to make sure everybody understood the correct illustration of how the system labored earlier than diving into menace modeling.
As the subsequent step, they went on to figuring out the vital property that want safety primarily based on the next logical conclusions:
- Order data: A vital asset as tampering them may result in loss in gross sales and broken status.
- Buyer particulars: Any publicity to delicate buyer particulars may end in authorized points beneath privateness legal guidelines.
With this concrete format of the system and its property, the group went on to brainstorming threats immediately.
Establish Threats
Within the whiteboarding format, we may run the blackhat pondering session as follows:
- First, distribute the sticky notes and pens to everybody.
- Take one knowledge movement on the low-level tech diagram to debate threats.
- Ask the query, “what may go unsuitable?” whereas prompting by way of the STRIDE menace classes.
- Seize threats, one per sticky, with the mandate that the menace is restricted resembling “SQL injection from
Web” or “No encryption of buyer knowledge”. - Place stickies the place the menace may happen on the info movement visibly.
- Maintain going till the group runs out of concepts!
Keep in mind, attackers will use the identical knowledge flows as professional customers, however in surprising methods.
Even a seemingly easy knowledge movement from an untrusted supply may cause important havoc, and subsequently, its important to cowl all the info flows earlier than you finish the session.
A labored instance:
The order administration group opened the ground for black hat pondering after figuring out the property. Every group member was
inspired to suppose like a hacker and give you methods to assault the property. The STRIDE playing cards have been distributed as a precursor.
The group went forward and flushed the board with their concepts freely with out debating if one thing was actually a menace or not for now,
and captured them as stickies alongside the info flows.
Attempt arising with an inventory of threats primarily based on the system understanding you’ve to date.
Recall the crux of menace modeling. Begin pondering what can go unsuitable and
cross-check with the listing the group got here up with. You could have recognized
extra as effectively. 🙂
The carousel right here exhibits how threats are captured alongside the info flows on the tech diagram because the group brainstorms:
The group flooded the whiteboard with many threats as stickies on the respective knowledge flows just like these depicted within the carousel above:
| Class | Threats |
|---|---|
Spoofed id |
1. Social engineering methods might be performed on the customer support
2. The shop assistant may neglect to sign off, and anybody within the retailer |
Tampering with inputs |
3. The attacker may pay money for the order service endpoints from any open
4. Code injection might be used whereas inserting an order to hijack buyer |
Repudiation of actions |
5. Builders with manufacturing entry, after they discover on the market aren’t any logs |
Info disclosure |
6. If the database is attacked through a again door, all the data it holds
7. Stealing passwords from unencrypted logs or different storage would allow
8. The customer support govt or retailer assistant doesn’t have any
9. The /viewOrders endpoint permits any variety of data to be returned. |
Denial of service |
10. The attacker may carry out a Distributed Denial of Service (DDoS) assault and produce down the order |
Elevation of privileges |
11. If an attacker manages to pay money for the credentials of any developer with admin rights, they might add new customers or elevate the privileges of current |
NOTE: This train is meant solely to get you accustomed to the
menace modeling steps, to not present an correct menace mannequin for an
order administration system.
Later, the group went on to debate the threats one after the other and added their factors to every of them. They observed a number of design flaws, nuanced
permission points and likewise famous to debate manufacturing privileges for group members.
As soon as the dialogue delved deeper, they realized most threats appeared vital and that they should prioritize as a way to
deal with constructing the precise defenses.
Prioritize and Repair
Time to show threats into motion. For every recognized menace,
consider its danger by contemplating chance, publicity, and influence. You
may also attempt to give you a greenback worth for the lack of the
respective asset. That may sound daunting, however you simply have to suppose
about whether or not you have seen this menace earlier than, if it is a frequent sample
like these within the OWASP Prime 10, and the way uncovered your system is. Contemplate
the worst case situation, particularly when threats may mix to create
greater issues.
However we aren’t executed but. The aim of menace modeling is not to
instill paranoia, however to drive enchancment. Now that we have now recognized the highest
threats, we must always undertake day-to-day practices to make sure the suitable protection is constructed for them.
A few of the day-to-day practices you possibly can use to embue safety into are:
- Add safety associated acceptance standards on current consumer tales
- Create centered consumer tales for brand spanking new security measures
- Plan spikes when you could examine options from a safety lens
- Replace ‘Definition of Finished’ with safety necessities
- Create epics for main safety structure modifications
Keep in mind to take a photograph of your menace modeling diagram, assign motion gadgets to the product proprietor/tech lead/any group member to get them into the backlog as per one of many above methods.
Maintain it easy and use your regular planning course of to implement them. Simply tag them as ‘security-related’ so you’ll be able to monitor their progress consciously.
A labored instance:
The order administration group determined to deal with the threats within the following methods:
1. including cross-functional acceptance standards throughout all of the consumer tales,
2. creating new safety consumer tales and
3. following safety by design rules as elaborated right here:
| Threats | Measures |
|---|---|
Any unencrypted delicate data within the logs, transit, and the database at relaxation is weak for assaults. |
The group determined to deal with this menace by including a cross-functional
“All delicate data resembling order knowledge, buyer knowledge, entry |
Unprotected Order service APIs may result in publicity of order knowledge. |
Though the consumer needs to be logged in to see the orders (is “GIVEN any API request is shipped to the order service WHEN there is no such thing as a legitimate auth token for the present consumer included within the request THEN the API request is rejected as unauthorized.”
It is a vital structure change as they should implement a |
Login credentials of retailer assistants and customer support executives are liable to social engineering assaults. |
On condition that there are important penalties to the lack of login
Together with these particular actions, the group staunchly determined to observe |
Platform focussed menace mannequin workshop
Method and Preparation
There are occasions when safety calls for a bigger, extra cross-programme, or
cross-organizational effort. Safety points typically happen on the boundaries
between methods or groups, the place tasks overlap and gaps are typically
missed. These boundary factors, resembling infrastructure and deployment
pipelines, are vital as they typically change into prime targets for attackers resulting from
their excessive privilege and management over the deployment atmosphere. However when a number of groups are concerned,
it turns into more and more exhausting to get a complete view of vulnerabilities throughout the
complete structure.
So it’s completely important to contain the precise folks in such cross-team menace modeling workshops. Participation from platform engineers, software builders, and safety specialists goes to be essential. Involving different roles who carefully work within the product growth cycle, such because the enterprise analysts/testers, would assure a holistic view of dangers too.
Here’s a preparation equipment for such cross group menace modeling workshops:
- Collaborative instruments: If operating the session remotely, use instruments like Mural,
Miro, or Google Docs to diagram and collaborate. Guarantee these instruments are
security-approved to deal with delicate data. - Set a manageable scope: Focus the session on vital elements, resembling
the CI/CD pipeline, AWS infrastructure, and deployment artifacts. Keep away from making an attempt
to cowl your entire system in a single session—timebox the scope. - Diagram forward of time: Contemplate creating primary diagrams asynchronously
earlier than the session to save lots of time. Guarantee everybody understands the diagrams and
symbols upfront. - Maintain the session concise: Begin with 90-minute periods to permit for
dialogue and studying. As soon as the group positive factors expertise, shorter, extra frequent
periods may be held as a part of common sprints. - Engagement and facilitation: Be certain everybody actively contributes,
particularly in distant periods the place it is simpler for individuals to disengage.
Use icebreakers or easy safety workout routines to begin the session. - Prioritize outcomes: Refocus the discussions in the direction of figuring out actionable safety tales as it’s the major consequence of the workshop.
Put together for documenting them clearly. Establish motion homeowners so as to add them to their respective backlogs. - Breaks and timing: Plan for further breaks to keep away from fatigue when distant, and make sure the session finishes on time with clear, concrete
outcomes.
Clarify and Discover
We now have a labored instance right here the place we deal with menace modeling the infrastructure
and deployment pipelines of the identical order administration system assuming it’s hosted on AWS.
A cross practical group comprising of platform engineers, software builders, and safety
specialists was gathered to uncover the entire localized and systemic vulnerabilities.
They started the workshop with defining the scope for menace modeling clearly to everybody. They elaborated on the varied customers of the system:
- Platform engineers, who’re answerable for infrastructure administration, have privileged entry to the AWS Administration Console.
- Utility builders and testers work together with the CI/CD pipelines and software code.
- Finish customers work together with the applying UI and supply delicate private and order data whereas inserting orders.
The group then captured the low-level technical diagram displaying the CI/CD pipelines, AWS infrastructure elements, knowledge flows,
and the customers as seen within the carousel under.
The group moved on to figuring out the important thing property of their AWS-based supply pipeline primarily based on the next conclusions:
- AWS Administration Console entry: Because it offers highly effective capabilities for infrastructure administration together with IAM configuration,
any unauthorized modifications to core infrastructure may result in system-wide vulnerabilities and potential outages. - CI/CD pipeline configurations for each software and infrastructure pipelines:
Tampering with them may result in malicious code shifting into manufacturing, disrupting the enterprise. - Deployment artifacts resembling software code, infrastructure as code for S3 (internet hosting UI), Lambda (Order service), and Aurora DB:
They’re delicate IP of the group and might be stolen, destroyed or tampered with, resulting in lack of enterprise. - Authentication service: Because it permits interplay with the core id service,
it may be abused for gaining illegitimate entry management to the order administration system. - Order knowledge saved within the Aurora database: Because it shops delicate enterprise and buyer data, it will possibly result in lack of enterprise status when breached.
- Entry credentials together with AWS entry keys, database passwords, and different secrets and techniques used all through the pipeline:
These can be utilized for sick intentions like crypto mining resulting in monetary losses.
With these property laid on the technical diagram, the group placed on their “black hat” and began fascinated by how an attacker may exploit the
privileged entry factors of their AWS atmosphere and the application-level elements of their supply pipeline.
Establish Threats
The group as soon as once more adopted the STRIDE framework to immediate the dialogue
(refer labored instance beneath ‘Fast Workforce Risk Modeling’ part above for STRIDE framework elaboration) and captured all their
concepts as stickies. This is is the listing of threats they recognized:
| Class | Threats |
|---|---|
Spoofed id |
1. An attacker may use stolen platform engineer credentials to entry the AWS
2. Somebody may impersonate an software developer in GitHub to inject |
Tampering with inputs |
3. An attacker may modify infrastructure-as-code recordsdata within the GitHub
4. Somebody may tamper with supply code for the app to incorporate malicious |
Repudiation of actions |
5. A platform engineer may make unauthorized modifications to AWS configurations 6. An software developer may deploy ill-intended code, if there is not any audit path within the CI/CD pipeline. |
Info disclosure |
7. Misconfigured S3 bucket permissions may expose the UI recordsdata and
8. Improperly written Lambda capabilities may leak delicate order knowledge by way of |
Denial of service |
9. An attacker may exploit the autoscaling configuration to set off
10. Somebody may flood the authentication service with requests, stopping |
Elevation of privilege |
11. An software developer may exploit a misconfigured IAM position to achieve
12. An attacker may use a vulnerability within the Lambda operate to achieve broader |
Prioritize and Repair
The group needed to prioritize the threats to establish the precise protection measures subsequent. The group selected to vote on threats primarily based on
their influence this time. For the highest threats, they mentioned the protection measures as shopping for secret vaults,
integrating secret scanners into the pipelines, constructing two-factor authentications, and shopping for particular off the shelf safety associated merchandise.
Aside from the instruments, additionally they recognized the necessity to observe stricter practices such because the ‘precept of least privileges’ even throughout the platform group
and the necessity to design the infrastructure elements with effectively thought by way of safety insurance policies.
After they had efficiently translated these protection measures as safety tales,
they have been capable of establish the funds required to buy the instruments, and a plan for inside approvals and implementation, which subsequently
led to a smoother cross-team collaboration.
Conclusion
Risk modeling is not simply one other safety exercise – it is a
transformative observe that helps groups construct safety pondering into their
DNA. Whereas automated checks and penetration exams are priceless, they solely
catch identified points. Risk modeling helps groups perceive and handle evolving
cyber dangers by making safety everybody’s accountability.
Begin easy and hold enhancing. Run retrospectives after a couple of periods.
Ask what labored, what did not, and adapt. Experiment with totally different diagrams,
attempt domain-specific menace libraries, and join with the broader menace
modeling group. Keep in mind – no group has ever discovered this “too exhausting” when
approached step-by-step.
At minimal, your first session will add concrete safety tales to your
backlog. However the actual worth comes from constructing a group that thinks about
safety repeatedly, and never as an afterthought. Simply put aside that first 30
minutes, get your group collectively, and begin drawing these diagrams.