The Threat Modeling Manifesto defines threat modeling: as “analyzing representations of a system to highlight concerns about security and privacy characteristics.”A representation is the foundation of threat modeling. It is the item that threat modelers use to capture the essence of the thing they are modeling. Without a solid representation, it is challenging to draw robust security or privacy conclusions.
A representation takes many different forms:
- Data flow diagram — a process diagram that simplifies in-depth flowcharting using a limited set of elements including process, data flow, data store, external entity, and trust boundary.
- Attack tree — an attack tree is a conceptual diagram showing how an asset or target might be attacked.
- Swim lane diagram — visually distinguishes job sharing and responsibilities for sub-processes of a business process.
- Pseudo-code — a plain language description of the steps that code will eventually perform.
- Napkin — the simplest form of representation could be a napkin scribbled upon a napkin over a lovely lunch meeting.
The takeaway is that while a representation can take many different forms, all representations have the same function. A representation exists to help the threat modeling team unlock the best possible set of threats and mitigations for whatever the representation represents.
Many threat modelers participated in a poll on LinkedIn, answering the question, “when threat modeling, what do you use to create a representation?”
As you see, data flow diagrams are the most used representation. Avi Douglen and Izar Tarandach, well-known leaders in the world of threat modeling, espouse data flow diagrams’ use. Each of them also adds other representations to their explanations. Swim lanes and Wardley maps for Avi and Python code (PyTM) for Izar.
DFDs most often for new models, lately been using swimlanes more (especially if devs already have them). I am also trying out / experimenting with a focused Wardley map as well, not really confident in this yet but it feels really powerful.
Avi Douglen
Whichever works best for the owners of the system to better express it via the model. If it is me, then probably DFDs. Or Python code!
Izar Tarandach
Steve Springett summarizes the benefits of multiple representations in his descriptions of how he uses DFDs and Attack Trees to best understand and discover the threats within the things he models.
Why just one? DFDs and attack trees are commonly used in my threat models. In my experience, the DFD can inform the Attack Tree since the DFD will have all the assets and processes that can be attacked. The Attack Tree can then identify things in the DFD that were previously marked as out of scope and we can reevaluate if that truly is the case. But I always start out with a DFD.
Steve Springett
The takeaway here is that with threat modeling, there is no best representation. Use the representation that makes the most sense, and look for opportunities to add additional representations to your process. Expand your mind and your representations to make even better threat models. Don’t be afraid to use a new representation. The best threat modeling exercises a creative mind, as part art and part science.
