Threat Modeling: Are Data Flow Diagrams Enough?

MOST RECENT POSTS
By Stuart Winter-Tear, Director of Sales Engineering, ThreatModeler Software, Inc.

As part of the 1st International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS), a paper was reviewed and accepted entitled: “Security Threat Modeling: Are Data Flow Diagrams Enough?” Anybody interested in the field of threat modeling would benefit from reading this relatively short and fascinating paper by Laurens Sion Et Al.

The underlying premise of the paper posits traditional threat modeling approaches such as Microsoft’s mnemonic STRIDE rely on Data Flow Diagrams (DFDs) which have fundamental weaknesses.

The authors identify four significant shortcomings to DFDs giving rise to “a non-trivial roadblock towards more mature threat modeling approaches.”

In the concluding paragraphs the authors put forward this opinion:

“While DFDs are commonly used as a basis for threat modeling exercises, their semantics are not sufficiently rich to capture and express all the information that is relevant for such a security analysis. One could argue that DFDs, despite this limitation, have gained traction for threat modeling because they only serve as a communication vehicle between stakeholders to bootstrap the activity, but serve no formal role beyond that.”

Although the focus of this paper is the formation of a common modeling language, ThreatModeler has long argued the inadequacies of the DFD approach in the modern operational environment:

DFDs are detailed flowcharts first developed in the early 1970s when applications were created to run on a specific infrastructure. At that time, considering threats to an application separately from the infrastructure would not make sense.

Compare that to today’s interconnected cyber ecosystem, in which applications are developed to be platform independent, and particular threats exist because of the interactions between applications and shared infrastructure components. Today’s production and operational environments are entirely different from the situation which gave rise to DFDs as a useful analytic tool.

Any discussion with a skilled bug bounty hunter around their methodology soon reveals they are not utilizing a DFD approach, but are more interested in abusing ordinary use-cases (process flow abuse). This is achieved primarily by firstly traversing and mapping the application just as a standard user would interact with it and then subverting this standard usage in an attempt to reveal potential underlying vulnerabilities.

In view of this, as the goal of threat modeling is to reach into the mindset of an attacker in order to shore up any potential vulnerabilities, it makes sense to visualize the technology stack as a Process Flow rather than a Data flow.

Looking at an application (or your entire cyber system) with architecturally-based process flow diagrams is similar to looking at a building blueprint to determine where and how a thief or other attacker might strike – very useful for setting up a home security system. 

In the latter case, we assume the building structure will function equally well for the thief as it does for the legitimate occupants – the engineering is all good. However, what we need to know is how the attacker will get in, move through, and exit the structure with our valuables. That way we can determine the best way to set up our security system to stop the intrusion, or at least catch the criminal after the incident.

Automated threat modeling software using process flow diagrams allow defenders to approach their systems from the same vantage point as attackers – architecturally – thereby providing exceptionally useful insight from which the organization can understand its unique attacker population.

Source

ThreatModeler leverages architectural process flow diagrams which are perfect for securing: modern, fast moving, highly agile, operational and development environments, throughout the SDLC.

If you would like to know more about process flow architectural diagramming and the ThreatModeler platform, please feel free to contact us for a more in depth discussion.

Upcoming Webinar: How to Automate and Accelerate the Design of Secure AWS Cloud Environments

Moderator
Ty Sbano, Chief Security & Trust Office, Sisense

Panelists
Praveen Nallasamy, Vice President, Cybersecurity at BlackRock
Tom Holodnik, Software Architect, Intuit
Archie Agarwal, Founder and CEO, ThreatModeler
Reef D’Souza, Senior Security Consultant, AWS
Yeukai Sachikonye, Consultant, Engagement Manager of Global Security & Infrastructure Practice, AWS

In this informative webcast, participants will learn how to proactively secure their AWS cloud infrastructure, with guidance from AWS Security Epics. Discover how to accelerate sprint and epic velocity and how to prioritize security early in the cloud migration design phase. This will reduce overall cost and effort to fix security issues from weeks to just a few hours, maximizing efficiency and ROI. Register now by visiting the webinar registration page.

Webcast: How to Accelerate Workload Migrations to the Cloud with Security Built In through Threat Modeling

Leave a Reply

You must be logged in to post a comment.