So, what is the Threat Modeling Manifesto?
The Manifesto was formed on 17 November 2020. Take a look here: threatmodelingmanifesto.org.
It was created to change the industry as threat modeling is getting a lot more attention and is entering mainstream security activities. This growing momentum needs some guidance on why it is important and how companies can begin thinking about a threat modeling program.
There are several industry experts for security, privacy and threat modeling, and IriusRisk representatives were part of this collaboration. Stephen de Vries, CEO and Co-Founder of IriusRisk, and Fraser Scott, VP of Product.
The Purpose and History of the Manifesto
The Manifesto is a result of 15 people collaborating to formulate what threat modeling means and how it can be effectively used and defined. This experienced group was able to agree on its own definition of threat modeling, which is: 'Threat modeling is analyzing representations of a system to highlight concerns about security and privacy characteristics.'
This group also defined what the Manifesto isn’t, the scope of this isn’t to say how threat modeling should be done, as there are many methodologies and approaches to take or choose for your threat modeling framework. The Manifesto is intentionally non-specific on the ‘how’ so that an important method isn’t overlooked. It does suggest the Four Question Framework from Adam Shostack, which asks four broad questions to ensure all areas are considered:
- What are we working on?
- What can go wrong?
- What are we going to do about it?
- Did we do a good enough job?
Who is the Manifesto aimed at?
Arguably the best few sentences on the Threat Modeling Manifesto, so we have pasted them here: 'You. Everyone. Anyone who is concerned about the privacy, safety, and security of their system.' - We couldn't agree more!
One of the biggest values of threat modeling is collaboration. We speak to organizations ourselves on rolling out a threat modeling program, and the most successful companies are those where multiple teams are on board with the goal, where they all actively threat modeling. It drives the most value throughout the organization's risk posture. This supports scalability in future too, if the whole DevSecOps organization is advocating and implementing the threat modeling effort.
Do take a look through the Threat Modeling Manifesto, as it has some great insights, plus links to other useful resources for your threat modeling journey.
Sign up to the Toreon Newsletter - for regular updates and information on threat modeling advancements, articles and announcements www.toreon.com/tmi-threat-modeling/.
Get access to a free threat modeling tool - find out more about IriusRisk Freemium here. www.iriusrisk.com/free-threat-modeling-tool.
Join an agnostic threat modeling community - Threat Modeling Connect is a unique place to engage in collaborative discussions, discover industry trends, and expand your skill set through meetups, workshops, and networking opportunities. www.threatmodelingconnect.com.
Learn about Methodologies - STRIDE, PASTA and other methodologies for approaching threat modeling are commonly used, but find out which is best for your organization by learning about them and their use cases here: www.iriusrisk.com/threat-modeling-methodologies.