“Publish your threat model. Yes, really.” Adam Shostack proposed an idea that will make most cybersecurity professionals and organizations very uncomfortable. It is worth reading through the comments of Adam’s post.
What do I think?
I’m in total agreement and will change my practice to publish my threat models, help my customers publish theirs, and understand the reason why this will become statutorily mandatory in the future. Look for an update to ‘Meaningful Security Conversations with Your Vendors: Can Vendors Ever Provide Secure Solutions?‘ A new “meaningful conversation” will be added around “threat models” provided by the vendors.
Just as a reminder for those who do not understand threat modeling. It starts with four simple questions:
For those who think this is crazy, you need to get “over it” and start the journey to publish your threat models. “You have security gaps/risk everywhere” is the only reason why you would not publish your threat models. But that also means there are huge problems that need to be resolved ASAP.
Remember, we need to rethink our cybersecurity practices. What we are doing is not working. There are fields where our peers have no problem publishing critical risk models on their architecture. Civil Engineers are required to push their plans, documents, and equivalent to “threat models.” This publication has many reasons, but the one reason to remember for our Cybersecurity work is the story of Citicorp Center engineering crisis ….
…. If the building plans were not public, the “graduate student” who called William LeMessurier to ask questions on the equivalent of the “threat model.” Those “questions” instigated a reflection that uncovered the considerable flaws in the build’s designs for resilience under stress (see https://en.wikipedia.org/wiki/Citicorp_Center_engineering_crisis).
Yes, we need to push our threat models. If you are afraid, here is a path forward:
1. Make all threat models from all groups publicly available within the organization. Have a way where anyone in the company can view the threat models from all departments, products, networks, teams, etc. Establish a platform where anyone can comment, ask questions, and submit suggestions. Set up the tool so that people are rewarded for providing feedback, ideas, and actions that lead to reduced risk and improved resiliency.
2. Craft the threat models to be part of what you give to customers. First, make them available via NDA. Place them all in a “Security Sales” section within your organization to make it easier for your customers to access the threat models. Extend the feedback process to allow your customers to comment, ask questions, and submit suggestions. Set up a swag giveaway budget to reward customers who poke a hole in your threat models.
3. Finally, when you realize that publishing threat models is ‘not a threat,’ make them public alongside all your other security compliance documents. BUT!!! When you do publish them, have an easy way for anyone in the world to submit comments, questions, and suggestions to the threat model.
Finally, it is worth watching “The Most Dangerous Building in Manhattan.” It is a story that supports the reasoning why you want to publish your threat models.