07 Processing and Managing Threats Flashcards
When should you threat model in a project, and why?
Threat modeling should be started at the beginning of the project.
The act of drawing trust boundaries early on can greatly help you improve your architecture.
You should also threat model as you work through features. This allows you to have smaller, more focused threat modeling projects, keeping your skills sharp and reducing the change that you’ll find big problems at the end.
It is also a good idea to revisit the threat model as you get ready to deliver, to ensure that you haven’t made decisions which accidentally altered the reality underlying the model.
What are second or third order threats?
Second or third order threats are the threats in which an attacker will try to bypass the features or design elements that you put in place to block the most important threat.
For example, if the primary threat is a car thief breaking a window, a secondary threat is them jumping the ignition.
What are the two value propositions of threat modeling as you work through features?
The first is that if you do small threat model as you start a component feature, the design is probably closer to mind. In other words, you’ll have a more detailed model with which to look for threats.
The second is that if you find threats, they are closer to mind as you’re working on that feature.
Threat modeling as you work through features can also help you maintain your awareness of threats and your skills at threat modeling.
What does reexamining the model means in the “Close to Delivery” stage?
Reexamining the model means ensuring that everyone still agrees it’s a decent model of what you’re building, and that it includes all the trust boundaries and data flows that cross them.
When you start looking for threats, what is the most essential input?
When you start looking for threats, a diagram is something between useful and essential input.
What are the two testable states to help assess you are done?
The first is that you have filed bugs, and second is that you have a diagram or diagrams that everyone agrees represents the system.
What is top down threat modeling?
Top down threat modeling is an approach to finding threats by modeling from the highest-level view you can build the entire system.
What is bottom-up threat modeling?
Bottom-up threat modeling is an approach to finding threats by starting to work from features, and then attempts to derive a coherent model from those feature-level model.
Why bottom-up threat modeling does not work?
The reason bottom-up threat modeling does not work is because it is challenging to bring threat models together when they are not derived from a system-level view.
What are three different lists you iterate “across”?
The three different lists you iterate across are:
1. Iterate across a list of the trust boundaries
2. Iterate across a list of diagram elements
3. Iterate across a list of threats
