New Microsoft Threat Modeling Slidedeck

As promised, Dan has sent me his slidedeck that he presented at the Westcoast Security Forum, which you can now download from my blog here.

I'd like to point out a few interesting things I learned from it. First off... I LOVE the fact he uses the Common Criteria for Information Technology Security Evaluation to show the security concept and relationships on "why" threat modeling matters. I thought it was a smart idea to show that this isn't a "Microsoft" thing.

I also was surprised to learn that in the updated threat modeling process at Microsoft, the step to build threat trees is now considered an optional step. The main reason seems to be that you REALLY need to have a security guru who understands the system and the threats to it to properly define the tree in any sort of useful depth. (To those of my students that I have taught secure coding to, this is what I call attack trees). It is interesting that Microsoft found that in practice, this should be an optional step. I can't say I disagree here. If I had to sacrifice anything during a threat model for the sake of time, it would be the attack tree that wouldn't get done. So I guess I shouldn't be all that surprised.

I also liked the changes in the data flow diagrams (DFD). Now these aren't actually changes, as they are defined in the Threat Modeling book and Writing Secure Code (Second Edition). What is different is the clarity of showing privilege boundaries and defining that generally going two levels deep in a DFD is far enough. I also really appreciated how Dan showed implementation examples of the different components in a DFD, and more importantly... common DFD "bugs" and how to fix them. Actually... I think that was critical to his presentation, as I have seen myself having to correct those same exact things when further reviewing my own threat models.

Then Dan did something that actually impressed me. As information security professionals, one of the common realisms we understand is that of the three pillars of information security that fall under the CIA triad. Without them, you cannot build a secure system. For those that don't know, the CIA triad is composed of the principles of :

1. Confidentiality - the ability to hide information from those people unauthorised to view it.
   
2. Integrity - the ability to ensure that data is an accurate and unchanged representation of the original secure information.
   
3. Availability - the ability to ensure that the information concerned is readily accessible to authorised viewers at all times.
   

Why I was impressed was the fact Dan showed how STRIDE categories fit against the CIA triad. Very few developers get that. Very few even consider their software from an infosec point of view, which is probably why I have a job. :) This, to me, shows a maturing in how Microsoft is viewing threat modeling and secure software development as a whole. When I hear people saying things like spoofing and tampering are anti-I in the CIA triad, I blush. They get it! They really do.

I also appreciated the fact Dan presented a very simple chart showing Threat Types by Asset Type. One of the things I have found over time is the fact that after you do a few DFDs, you notice common patterns and solutions to the same problems. His chart broke that down quickly, and in a simple manner. I might actually have to steal that one for my presentations. Hope that's ok Dan. :)

Anyways, there is a lot for you to see and read. Feel free to download his slidedeck and check it out.