AppSecSchool:
Threat Modelling for Developers

Enjoy our additional free content from our channel
videos

Threat Modelling for Developers

Simplifying Threat Modelling: Think Like the Bad Guys

Threat Modelling is an indispensable skill in the domain of application security. Today, we'll venture into this arena, sidestepping complex frameworks and jargon. We'll keep it straightforward and follow the KISS principle - Keep It Simple, Stupid! Our focus is on a user-friendly approach that's perfect during feature design or coding.

Imagine a new feature or app as a treasured possession. Would you risk its safety in a perilous environment? Much like avoiding a risky neighborhood at night, you'd instinctively avoid placing your app in danger on the internet. If you've ever felt this protective instinct, you've already ventured into Threat Modelling.

Crafting Personas for Threat Modelling

Thinking in personas can assist developers in making threat modelling intuitive. These personas offer a snapshot of potential attackers and their motives.

  1. Organized Crime: Resource-rich, tech-adept groups that aim to steal data or compromise systems for financial gain.
  2. Scammers: They could be lone wolves or small bands targeting system loopholes or users for swift financial benefits.
  3. Personal Threats: Watch out for tech-savvy individuals with personal grudges. It could be an angry customer or a resentful acquaintance.
  4. Agents of Chaos: These hackers don't chase tangible benefits like money or revenge. Their goal is chaos, and they find joy in system disruption.

While considering these personas, relate them to familiar faces or even movie characters. For instance, wondering "What would Keyser Söze do?" can be a fun way to brainstorm threats.

Personas in Action

Dive into the mindset of a hacker. Contemplate the vulnerabilities in your app and how each persona might exploit them. If an acquaintance has a mischievous streak, ask, "How would they exploit this application?"

For every threat your persona-thinking reveals, ensure your app has defenses in place. If not, devise preventive measures.

Embracing Diversity in Threat Modelling

Diversity is the spice of life, and it's crucial for comprehensive Threat Modelling. A diverse group, with varied backgrounds, offers a rich tapestry of perspectives. It ensures you don't just spot intricate technical vulnerabilities but also simpler threats that demand creativity rather than tech prowess. Including voices from non-tech sectors, like customer support, can yield unexpected yet valuable insights.

Wrapping Up

Threat Modelling isn't about overcomplicating things or fostering paranoia. It's about comprehending potential dangers and fortifying defenses. It balances creativity with technical know-how. As you endeavor to see through the eyes of potential attackers, you'll refine your Threat Modelling skills. Practice is key, and while some may find it intuitive, others will get there with persistence.