Most of the companies I worked for or know about have a bizarre threat modeling process. They count on the architect or the most knowledgeable person to do the threat modeling. It’s defined as a one-person job!
If your goal is to do it, because it’s one of the required artifacts for your service to go in production or any other stage, it may be the right approach. But this is no threat modeling; it’s a false sense of security. You call for harmful attempts against your system because you put all the eggs in one basket.
It’s the exact opposite of the goal of a threat modeling session.
Involve your team members when you do your threat modeling.
Every person in your team has a unique perspective and a way of thinking about possible threats against any system.
Every person has a different experience compared to the others.
Every person has different emotions and morale.
All of those qualities play a critical role in the threat modeling process.
Let me give you an example:
I started a fun and useful exercise, explaining the threat modeling goal by bringing people together in front of a virtual whiteboard and doing a threat modeling against a beer tap infrastructure.
We have a yard with a few doors to enter it. We also have the beer tap, a pressure system, key storage, and some power controls. We have two boundaries to protect.
The team members were encouraged to “go wild” and think just for 7 min about all possible threats they see against the infrastructure individually.
Then I asked them to put virtual “sticky” notes near the components that could be threatened and discuss the findings as a team.
I did that with six groups from different geo-locations, and every time, I received different results. 90% of the threats were common, but 10% of them differed from group to group. This is how you make your modeling better.
To compare, I asked a few people to do this exercise alone for the same time, and the difference I saw was that the wisdom of the crowd identified with 40% more threats than a single individual. If this is not hard proof, which is it?
Involve your team members when you do your threat modeling. It’s the first step into your journey towards creating a bit more secure products.