Brainstorming Threats

With the data flow diagram showing the data stores and how data flows inside our system, it is time to look at potential threats and classify them.

From the point of view of the result, it doesn’t matter in which order we look at threats or how we think of them. In the end, a threat is a threat.

However, it is quite difficult for beginners to imagine potential threats to the system. The mantra here is to think like an attacker, but that is not an easy task.

To help our brainstorm, it’s useful to classify threats so that we can think of potential attacks from each category. For example, we can use the Top 10 OWASP vulnerabilities, or the STRIDE model. Other classifications exist, such as CIA (Confidentiality, Integrity, Availability) or LINDDUNLINDDUN is a privacy threat modeling methodology, a mnemonic for the following privacy threat categories: Linkability, Identifiability, Non-Repudiation, Detectability, Disclosure of Information, Unawareness, Non-compliance, but we will limit ourselves to these two for now.

The threat modeling process should repeat:

• periodically, on the whole system. Recommended iteration is 1 year, but we advise using 3 months instead
• for each change in the system, as a delta. This can be done while defining the architecture for new changes, or as part of the sprint in agile teams

Unfortunately, this process is tedious and time consuming. Thinking of possible threats is not the most pleasant way of spending time for developers, and the more complex the systems become the more threats you will find. Some attempts at gamification have been made to make the process more enjoyable, but there is still work to do in this area.

In the end, you have no choice. Threat modeling is the most effective way to prevent security issues, and the best thing to do is embrace it and find ways to make it more interesting or enjoyable as a team.