Tech Talk Blog : Threat Modeling Seminar Results

Monday, 20 March 2006 1:27 PM Rocky

Threat Modeling Seminar Results

Results of the seminar.

From Feb 27th to March 17th we conducted the MS Security Seminar across Australia and New Zealand. During this time I presented on the new ACE TM methodology, and the Threat Analysis and Modeling (TAM) tool. I can say that it was an overwhelming success.

The most common reactions I got were a strong desire to get the tool and put it in to action on new and existing systems. Everyone that saw the presentation was especially glad to see that there was consistent guidance on what Threats they may be vulnerable to and that there were mitigation strategies provided. This methodology and tool have finally provided developers something they sorely needed, a very clear indication of the threats and countermeasures that their projects faced.

For a long time we have lacked the ability to clearly identify and quantify threats and their associated countermeasures. It has always been a bit of a 'black art' to determine what problems the application will actually face. Even if developers were able to determine the threats to the application, they often did not know where to start with regards to implementing the countermeasures. Traditional Threat Modeling faced a few common pitfalls that prevented its widespread uptake. Some of these include:

It was too cumbersome to implement in small teams without a dedicates security team.
The data flow diagrams did not present the data they represented in a manner that was easily understood my most developers.
There was little or no tool support to make the process easier to adopt
It required the people performing the threat modeling to be experts in not only the application being modeled, but in security and attack techniques as well.
The results were often subject to misinterpretation .
Most commonly, people said it was just too hard.

Developers have long asked for a system, or a tool that can clearly and plainly tell them exactly what it is they need to do without all the extra overhead of lengthy and time intensive processes. Many times when talking about Threat Modeling to client before the ACE TMM I was met with comments such as 'It's too hard', 'It takes too long', 'We don't know what this thing is telling us.'. Now, with the ACE TM all the questions and complaints have been answered.

By way of introducing the TAM, I explained the methodology and how it differed from traditional data flow based Threat Modeling. Everyone I spoke to after the presentations said that the new methodology was easy to grasp, and more importantly, something they could actually implement.

The methodology is clear and concise. It provides a very simple set of distinct steps that deal with information the project team is familiar with. It is not an overly convoluted or complex process which makes it easy to add to existing SDLC/SDL processes already in place in most organisations. This feature alone makes this methodology more acceptable to a lot of organisations whose internal LOB IT departments who would be responsible for implementing it.

In addition to a much more adoptable methodology, the TAM tool makes the entire process very easy to implement. This is one of the major aspects of the new system that is a huge advantage over previous M approaches. The tool support for the ACE TM is what pushed it over the line for most people attending the seminars.

When demonstrating the tool, I witnessed the audience get that ear to ear grin of discovering a solution that would finally help them create more secure software. All of the seminar attendees that saw the demonstrations were very excited about being able to use the TAM tool. All the people I spoke to afterwards were very pleased that there was finally a tool that they could actually adopt. The TAM tool is the 'killer app' of the software security landscape.

Finally we have a Threat Modeling application that not only records and processed data and statistics about the application, but it proactively generates threats for you, and provides you with the countermeasures to mitigate those threats. Get it, Use It, Now: http://msdn.microsoft.com/security/securecode/threatmodeling/acetm/

Comments

No Comments

New Comments to this post are disabled

About Rocky

Rocky is currently consulting for Readify as a Senior Consultant and is the technical lead for Readify's Security and Monitoring practice. He is an MCSD and a CISSP as well as pursuing a PhD based on research into securing the software development life cycle. In January of 2006 he was awarded an MVP form Microsoft in Developer Security. Since moving to Australia in 2000 he has been working with companies such as Vish Corporation, Softlaw, and the Australian Taxation Office on various projects ranging from personal portals, to expert systems and major government systems.