The Security Table

Nobody's Going To Mess with Our STRIDE

Chris Romeo Season 2 Episode 12

Matt, Izar, and Chris take issue with a controversial blog post that criticizes STRIDE as being outdated, time-consuming, and does not help the right people do threat modeling. The post goes on to recommend that LLMs should handle the task. The trio counters these points by highlighting STRIDE's origin, utility, and adaptability. Like any good instrument, it is important to use the right tools in the right context. 

They also touch upon the common misconceptions about threat modeling, the misuse of tools like the Microsoft Threat Modeling Tool, and the benefits of collective threat modeling practices. Throughout, they defend the foundational role of STRIDE in threat modeling, promote the value of including diverse perspectives in the threat modeling process, and encourage looking beyond narrow toolsets to the broader principles of threat analysis.

FOLLOW OUR SOCIAL MEDIA:

➜Twitter: @SecTablePodcast
➜LinkedIn: The Security Table Podcast
➜YouTube: The Security Table YouTube Channel

Thanks for Listening!

Chris Romeo:

Hey folks, welcome to another episode of The Security Table, where we dispel myths, we

Matt Coles:

Take names.

Chris Romeo:

take names, we, we never mentioned, we never mentioned the people that uh, we, we're analyzing their written words and spoken words to provide some clarity to it, but I think before we dive into this particular episode, I do believe that Izar wanted to do a poetic demonstration here,

Izar Tarandach:

yes. For

Chris Romeo:

all

Izar Tarandach:

Last episode, I had a interpretative dance to explain where we were starting. So today, to put everybody in the right frame of mind, we are going to open with a piece of poetry from the 80s. that, along with the subject of today's episode, turned into something that we can easily call an ode to Adam. Ahem. Ahem. Ahem. You're the road and now you pray it lasts. The road behind was rocky, but now you're feeling cocky. You look at me and you see your past. Is that the reason why you're running so fast? And she said, ain't nothing gonna break my stride. Nobody gonna slow me down. Oh, no, I got to keep on moving. Ain't nothing gonna break my stride. I'm running at a one touch ground. Oh, no, I got to keep on moving.

Chris Romeo:

Wow,

Matt Coles:

were just on the, if you were just on the treadmill in the gym listening to that, and you are now picking yourself up off the floors, we're sorry.

Izar Tarandach:

Sorry

Chris Romeo:

wish we had a live studio audience so they could applaud and stand after that rendition. I mean, it was beautiful, It's true. Nobody's going to mess with our STRIDE is the, is the topic of this episode. So let me set it up so, so our listeners can follow and our watchers in Australia can follow along with, uh, where we're going and what's, what's gotten us fired up at the security table for this week. So a LinkedIn post and which has now become a blog post has been written and the title of it is the top three problems with STRIDE. STRIDE all in capital letters, meaning the threat modeling mnemonic. The top three problems with STRIDE threat modeling and what's next. And it begins with this picture of a threat model done in the Microsoft Threat Modeling Tool 2016. Uh, quite bizarre. picture, but we can get back to that later. Uh, but from a high level, the author who shall remain nameless is basically saying that STRIDE is a 25 year old checklist. So it's old STRIDE's, time consuming and wrote, and it doesn't lead people to the right people doing the threat model. Um, the ar the author argues, data flow diagrams aren't the best way forward. And then at the end concludes that LLM should do STRIDE instead of people. wait, you just told us about how everything was wrong with STRIDE. Now we wanna turn the LLMs loose on. So there's a lot to unpack here, but I just wanted to set the stage so the stage has been set. So before we even get into what's written in the blog post, I'm curious what. Matt and Izar, your opinions are of STRIDE in the year 2024.

Izar Tarandach:

So I'm holding in my hands an old tool. It is multi purpose. You can break things, you can build things with it. It's a hammer. And it's really, really one of the oldest tools that I think that people are aware of. And you know what? It works just fine. And you just to apply it in the right place, in the right way. If I try to use it as a screwdriver, it's not going to work. So yeah, I'll be keeping my hammer, thank you very much. Same way as, you know, I don't use STRIDE every day. I'm not a big proponent of STRIDE, but it's a tool. We each have a toolkit, and you should have the tools that are going to help you in every single different situation that you find yourself. T

Matt Coles:

STRIDE almost every day, and If we don't, even if we don't call it STRIDE, we used STRIDE. So STRIDE was a foundational concept, right? And it set the stage for threat modeling as an activity. It encompasses a lot of the really core things that we would look for as threats. And it spun off other things that we now rely on, like Linden, includes no dirt, or, um, and, and has other variations, right? STRIDE plus LM, you know, STRIDE plus lateral movement. And so to say it's archaic and, and obsolete, I think it's very misleading. Uh, you know, it's, it's kind of, it's kind of like old software components. Some components go, don't go, don't get maintained for a while because they work. And they don't need any updates. And so, as a security professional, STRIDE is critical for what we do. As a developer, STRIDE is really critical for what they do, even if they don't You know, if it gets marketed as a complaints thing, then that's different than actually making it a functional thing. Um, I, I think there's a big misconception, especially where the author's coming from, that STRIDE is, has reached its end of life. I think if anything, it certainly hasn't, and in fact, if, you know, if, even if you don't call it a STRIDE, any other name may work just the same, uh, and so, you know, and anytime you're doing threat modeling, if you're looking at You know, security best practices, if you're looking at, uh, design principles for, or if you're looking at anything that comes out of the ATT& CK framework or out of CAPAC, you know, common ATT& CK patterns, those can all relate to STRIDE. It's like another good example, you know, for this is we don't refer to ISO. all the time, but almost everything we refer to refers to ISO. So

Izar Tarandach:

Hmm.

Chris Romeo:

Mm hmm.

Matt Coles:

a hierarchy of things. There may be something above STRIDE, like the four question framework is a good example, right, in threat modeling. STRIDE fits within that four question framework, and other things refer to STRIDE in that hierarchy. Even if we don't call it that, and even if we don't refer to it, it's still, it's still present. So

Chris Romeo:

Let me, um,

Matt Coles:

it's fundamental.

Chris Romeo:

let me, uh, let me, let me share a little story time because I have an interesting relationship with STRIDE. I like to refer to this as my love hate relationship with STRIDE. No, I mean, so when I first I got to Cisco and I started, uh, really pursuing threat modeling. This is back in, I don't know, 2011, 2010 when I'm doing this at Cisco. I find STRIDE and I'm like, oh, this really makes sense. It's a nice mnemonic, it's a easy, it's easy to get people started with it, you can, it's easy to understand, you don't, a lot of times people, they don't look at it and go, this is so complicated to understand, it's simple, it's something they can, they can remember and it's a starting point. And so I started, I used STRIDE for a few years, uh, but then I got cocky, and I, and I decided, you know what, STRIDE is just too simple. And I'm going to start teaching threat modeling using other methods. I'm going to go to some of these other sources that Matt mentioned, and I'm going to use those as the basis for how I teach people to threat model. Things like CAPEC and CWE, and uh, those were two of the, the two of the prominent ones. ATT& CK wasn't available yet at this point, or DEFEND. But CWE was, CAPEC was, and so I started using those as teaching tools. And you know what I found? People were confused because they're like, but there's so many things. How do we narrow it down? How do we understand we don't, this doesn't make sense. You want me to search this database to try to figure out what the things are I got to think about. And then I read the entries and I don't even really understand how it applies to my product. And so, you know what I did? I went back to teaching STRIDE. And so, for me, STRIDE is really a teaching tool and a gateway.

Izar Tarandach:

Yep.

Chris Romeo:

Do I want people to use STRIDE for the, for every threat model that they ever create, from the first one to the 972nd one that they create? No. But I want them to use it for the first one, maybe the first ten. What, but what I've seen happen in my experience is people internalize it. They don't, they no longer need to go, let's go through spoofing, tampering, or PDH. They just make it, they use it enough times, it becomes part of how they operate. Part of how they consider what the threats are. And so for me, STRIDE is a foundational piece of how we approach threat modeling. And it should not go anywhere.

Izar Tarandach:

Well,

Chris Romeo:

where I landed.

Izar Tarandach:

let's, let's make a distinction here. I think it's important because you can talk about STRIDE as a methodology, which is a shortcut for the application of STRIDE in a threat model. You can talk about STRIDE as the, uh, the, the acronym itself, right? With the impacts that something would lead to. And separately, I think that they're both. Great tools to move people from one stage to another in the journey, especially to get them started, because it doesn't bind, people don't get bound by it, but they get a sort of like, this is where I'm looking at. And that's why STRIDE is something that you can use to play cards. Elevation of Privilege is in there. And STRIDE is the structure behind it, right? So it gives you this focus towards those initial, uh, uh, uh, speed bumps of how do I, how do I even start this thing, right? It gives you a horizon to go to. And I think that, as Chris said, sometimes it gets under your skin and you just start doing STRIDE without calling it STRIDE, without referring to it STRIDE, but you have that, those impacts in your head and you are always striving towards them, right? Across the years, I think that a lot of people try to add something to STRIDE, but then it, what happened was what Matt said, you got Linden, you got, No dirt, right? Because people keep looking at that acronym and thinking to themselves, what else, what's missing here? What's missing? And that's a very difficult question to ask and answer to give.

Matt Coles:

STRIDE. LM is probably the only direct extension of STRIDE that I've seen that has had any traction whatsoever. And

Chris Romeo:

and that's the one I've actually adopted that going forward. I'm using STRIDE ALM now in teaching, in discussing threat modeling, in advising people on how to get started with it. Because I think that lateral movement really is different than elevation of privilege. Elevation of privilege for me is a given service, you have some user account access, and you're trying to elevate that service to admin access or super access or whatever. Whereas lateral movement for me is more about how an attacker moves through the network, through the data center, through the, Kubernetes cluster, uh, making their way through various containers. And so it's a different thing. It's, it's something good. Cause some, the argument against LM is to say, oh, well, it's just elevation of privilege. And so I land on, no, it's not. But I, and I think that's a worthy thing to add. And that's something that I'm adding to STRIDE going forward.

Matt Coles:

yeah, it's, uh, it brings in a level, it brings in, um, the concept of architecture where traditionally in d in, in threat modeling, we, we sort of ignore the architecture and, and LM. Brings that, brings that back in, like there's more beyond this thing than the system that you're modeling. There may be stuff outside of it that you now have to, like, if you're modeling a system that is a front end for your backend infrastructure, it's important to know that I'm not going to stop here is the exact, I'm going to go elsewhere. Right, and LM introduces that.

Izar Tarandach:

Which brings us to another point that the author made. Why do I need to make a data flow diagram?

Matt Coles:

Before we get there though, sorry, I just want to close, add one other thing on the, on the STRIDE discussion. It is possible It is certainly possible for it to become, uh, while we use it, we're saying here that it's foundational, and I think that's true, and it's a great learning tool, and I definitely think that's true, and then it becomes sort of part of the toolbox that developers and others know, sort of, even if they don't, again, they don't call and refer to it directly. However, we should recognize that it is possible, and certainly likely in some cases. that you could take that to an extreme and mandate it. And so now it no longer becomes a toolkit and it becomes now a compliance. So don't do threat modeling, do STRIDE. And STRIDE equates to threat modeling and therefore that's all you know and that's all you can do. And so there could be some limitations there. Um, and that's important to recognize, right? So it's, it's not just, and it may be that the author had an experience where they worked in an organization required STRIDE. And the story, right? And, and put it, put it in a bad light.

Chris Romeo:

Yeah. So shall we walk through this article a little bit and explore a couple of the points

Matt Coles:

Sure.

Chris Romeo:

that we see

Izar Tarandach:

were going into the DFT, but perhaps before we have to go into the who's supposed to do the threat model anyway, which is a good one too.

Chris Romeo:

Yeah, and I think that's where we see some confusion from what I think the three of us prescribe as to how you do threat modeling here. And I'll just read it verbatim here so we can discuss what we see. I don't like STRIDE very much. This isn't me speaking, this is the author. I don't think anyone really enjoys STRIDE, yet it has remarkable use in the industry. In my experience, the usual STRIDE recipe is to ask in parens, force an engineering team to make a data flow diagram of their system and then spend some 60 to 90 minutes in a large meeting going and asking the group these questions for each component. And then they're spoofing, tampering, he's got questions associated with each one. This isn't how I recommend people do threat modeling. I don't know, what do you guys think?

Izar Tarandach:

I think that not only Matt is right, DFTs are not STRIDE, right? DFTs are not necessary. Those large meetings are not necessary, but yes, anybody who has read the manifesto can Uh, no. It's actually a good thing to have that large meeting. It's actually a good thing to have a map to your system, a representation that shows where you are right now so that everybody can get, the, uh, situational awareness of are we talking about the same thing. And while it's not necessary, it helps. Basically the same way as STRIDE itself. You don't have to use STRIDE, but it helps. So the author is, seems to be putting a lot of tools and helpers in, in a box and then closing that box and saying this is bad, move it away,

Matt Coles:

Right. And they're all, and they're all equivalent by the way, right? So equating the tool and, so even equating STRIDE as a methodology and as a threat library, right? So STRIDE is ultimately a way to think about threats and it's a way to influence the methodology. And actually this is something really important, uh, something we probably should talk about as well, is because STRIDE. Brought with it a methodology. You had STRIDE per element and STRIDE per interaction, which has been both a ble I think a blessing and a curse, or a, a, a, a good advance and a, and a, and a significant limitation. We see this across the, the, the set of tools that are available today, often, we'll use per interaction or per element based threats. That comes, I think that pretty much comes from the way that STR, stray the way that STRIDE was implemented over the years. Right? So you look at a process and how do you spoof that process or how do you tamper with that process, or how do you tamper with the interaction with that process, meaning a network communication. And so when you look at that point to point, that point or point to point, uh, uh, threat analysis. That's, that's sort of a, a shadow of STRIDE thing, um, STRIDE introduced that, I believe, I believe that if I, if I remember correctly, and, and, and I hope so, cause, you know, we kind of wrote a book on this, uh, that, that the, that, that was a concept that came along with STRIDE. To Izar's point, you don't need a diagram to do this, although it helps, we're humans, we're visual, we like them. DFDs are not the only diagrams that exist. Other diagrams can be used, you know, whether you want. DFDs, or sequence diagrams, or C4 models, or, uh,

Izar Tarandach:

UML,

Matt Coles:

yeah, whatever you want, right? Uh, some representation that you can then look at and go, Oh, do I have, do I have an interaction that may be susceptible to tampering? And that's how you apply STRIDE, the library, in a methodology. And then, who do you need to involve? I mean, that's up to your organization, right? When you look at the Threat Modeling Manifesto, you know, outcomes, and The way you operate threat modeling needs to work for your organization and for your team.

Chris Romeo:

Yeah, and I think you've, you've highlighted here something that the author considered a problem. STRIDE is time consuming and rote. Uh, is STRIDE good for anything? It's ensuring you've thought of everything. Now the funny thing is, when I teach STRIDE and when I use STRIDE, I throw away the methodology side of it. I don't even tell people to, oh, if this is a data flow, you have to consider these, these things out of STRIDE. I just use STRIDE generically across the entire picture. And I say, let's, let's kind of flow through and look at each thing. I always tell people, well, focus on places where data flows cross trust boundaries. Start there, because that's where interesting things are always happening. in the world of the system. If something's happening deep in the innards of the system and there's a connection between two things, it's probably not that interesting because as an attacker I can't, unless I'm in the building and sometimes like in the horror movies you're inside the house the whole time. But

Matt Coles:

that's coming from inside.

Chris Romeo:

yeah, you're open. So I mean, so I get what you're saying, Matt. There is a methodology behind this. It is, I think you can use that in the early days when people are stuck, People can't always freestyle as well into, Oh, I just consider all of these threats against everything in my diagram. That's the point of the facilitator in the way that we all teach threat modeling. We don't just turn people loose and say, good luck. We facilitate, we walk them through, we demonstrate a process. So I think that's, you know, I think, I think we've, we've addressed the STRIDE as time consuming and wrote and, and pointed out what's wrong with that statement, but then we come to who's supposed to do the threat model anyway. Right. And the author provides really three different options. Doing it together, and then in parentheses and saying, and waste everyone's time. So I think that's a pretty strong statement there. I mean, I don't consider it wasting my team's time when they come to understand the system that they work on better. by understanding the security and privacy, uh, properties of it and failures of it in its current instance. Uh, the second option, upskill all engineers to expert threat modelers. I love when people use the word expert. I just

Matt Coles:

What's a, what's an expert threat modeler? Seriously,

Chris Romeo:

yeah, give me a definition of that. And then the third one, teach security the intricate details of every system at their company.

Matt Coles:

that sounds like there's, uh, there's a little bit of a process, you know, thing, an issue, the way that their organization has implemented threat modeling and, um, maybe now's a good time to point to, uh, Threat modeling manifesto now comes with a set of capabilities to consider this author may want to, um, may want to visit.

Izar Tarandach:

But even, even before that, and, and that, that's a great reminder, but even before that, if we look at points one, two, and three, okay. And we go to one and say, doing it together and in parentheses and waste everyone's time. Let's assume for a second that this was done in a, I'm going to use the word proper, but let's say efficient way. Right. And it wasn't. a waste of everyone's time. Why? Because of points two and three. Upskill all engineers to threat modelers. Let's drop the expert word for a second. And teach security the intricate details of every system at their company. The moment that I have everybody talking together around a process of threat modeling, we get two and three for free. Because security people are going to learn more about the system, and system people going to learn more about security. Are they going to come out experts? No. Are they going to know all the details? No. But everybody comes out knowing more about each other's work, which in the end leads to good outcomes, right? So don't tell me that doing it together is a waste of everyone's time. You're just saying, you know what, you should get one person, sit them in front of one tool, whatever the tool is? And they'll come out with a threat model. And that's the Hero Threat Modeler, which we have proven again and again is a bad thing.

Matt Coles:

And, and, and, you know, devil's advocate, I'll take the, I'll take the author's side for just a moment. Generally don't agree with this, but just a moment. If, uh, If their goal, if their organizational goal is, is purely developer throughput and, and develop, you know, developer cycles, um, you know, code, code delivery velocity, maybe you don't do it with everybody. But I wouldn't, I certainly wouldn't call it a waste of time. Whoever you do it with and the outcomes you get from it can be valuable.

Chris Romeo:

Yeah, and I would even take it further and say in a highly performing engineering team, I don't want everybody, I want, I want people doing their own threat models. I want small teams forming, probably, likely around the scrum teams as far as how they're doing their work now. I want them threat modeling at that level. I want threat modeling as a discussion point at the stand up. Hey, we had three things come out of the threat model. Uh, let's make sure, you know, do we have tickets assigned to those things? Do we, are we tracking those things through? Yeah, we've got them scheduled for the next sprint, for this sprint, whatever. Like, I don't think of threat modeling as a, this is kind of like a 1990s approach to threat modeling. let's just have everybody get to come in the engineering team, get together and do the threat model. Like that's, that's how we used to think about this a long time ago, but that doesn't work in the modern day.

Matt Coles:

guys are ha uh, is there, is, uh, is Israel's in the region? Yeah. Earthquake Alert in the, in his region. Um, so I'm reminded that we had a guest on this podcast a while back who, uh, is a recent convert fan of threat modeling, but, but he, if I remember correctly, the statement he used was, I don't want my developers doing threat modeling. I don't want all of my developers doing threat modeling.

Chris Romeo:

Yeah.

Matt Coles:

So there is a, and there is a thought here that not everyone does it, but everyone should benefit from it.

Izar Tarandach:

Yes, but you know what I think about it? I think that everybody should threat model all the time. And make it official with every story. But, uh, no, I totally can see the assertion that not everybody has to be involved all the time, right? But I think that at an individual level, you can do it all the time, even if you're not doing it as a formal process. You can just embed that into your Thought process and workflow. Let's put it like that, right? Especially because as a developer things that you do impact the threat model directly and You and things that you do should be impacted by the threat model so

Chris Romeo:

we go too far off on a tangent, kind of our own making, I want to circle us back in and just knock out the last couple of pieces of this article. Um, why do I need to make a Dataflow diagram? Matt already, and Izar, you already made points about this. Like you don't, STRIDE doesn't require a Dataflow diagram. Um, it's, it's, you can apply STRIDE to a user story if you want to. It's, it's just a conversation. It's a discussion, but then let's go to this last one. So after making, I'm going to set this up in what I feel is probably an unfair way, but I don't care. After making this argument about everything that's wrong with STRIDE, STRIDE is time consuming. It's 25 years old. Um, it's, it requires a data flow diagram. The author concludes this by saying LLM should do STRIDE instead of people.

Matt Coles:

Okay, but hold on, you missed, you missed the part of the article that's very important to

Izar Tarandach:

oh Yeah, yeah, yeah, yeah

Matt Coles:

And, and, uh, so he called out a particular tool as an implement, as, as STRIDE.

Izar Tarandach:

an embodiment of STRIDE

Matt Coles:

it's really important that,

Izar Tarandach:

Yes, the Microsoft Threat Modeling tool is not equal to STRIDE. But furthermore, well, furthermore, he mentioned that that tool creates a long list of findings, and that he is very concerned about the amount of those findings that are just marked in the tool. Ignore. Right? Because they are not relevant or because they are not at the resolution that the team is looking for. And then Chris, take it away.

Chris Romeo:

Okay. So, uh,

Matt Coles:

want to talk about the Microsoft Threat Mining

Izar Tarandach:

Yeah, we we'll get there. We'll get there. But let, let's go into the LLM thing

Chris Romeo:

I'm just, I'm baffled when somebody says, this thing is terrible. This thing is not, doesn't work. It's antiquated. It's overwhelming in the amount of process you have to apply, but then use it with an LLM.

Matt Coles:

he could have said, you'd let the intern do it. I mean, would that

Izar Tarandach:

Yeah, exactly. Exactly. But the, the, the thing, the thing that bothers me here is that if we walk the clock back to a year ago when this LLM thing started. popping in the scene. And I remember the LinkedIn posts of people going, I just described my system to JTPT and it came out with all the possible threats and it's using STRIDE and it's amazing. Oh my God, they don't need to threat model anymore. And then they stopped and they read the output. And you know what? The output was, wasn't exactly very different from what get from the TMT. Both in number and in aspect and in, uh, sometimes applicability, you know. The things that sometimes I get from the LLMs, something awesome, like the ice cream vendor is a denial of service vector because they don't show up on Fridays or something like that. But at the end of the day, you know, it's rules, it's a description, it's a formality applied to a rule engine, and you get what you get. It's the input and it's the output. Can you get good stuff from LLMs? Definitely. Will an LLM threat model for you? Definitely not. Right. But I, I,

Matt Coles:

out.

Izar Tarandach:

yeah. Yeah. And, and I think that what, what Chris said is, is is just like straight on point. I mean, don't come and, and, and tell me that this thing sucks and then say, oh, by the way, if you just apply this new technology to that thing,

Matt Coles:

It's less

Izar Tarandach:

I'm not saying no, I'm not saying that it doesn't suck, but it's not going to be your suck. It's going to be the tool suck. Right?

Chris Romeo:

it gets even better in the final paragraph. It's a fricking sales pitch.

Izar Tarandach:

No, no, no, no, no. That that's fair. Come on, come, come, come on. People have to sell their stuff. Uh, I'm not, no, that, that, that's fair.

Chris Romeo:

I, I, I believe in saying what you believe. I believe in sharing controversial opinions about things that you assess

Izar Tarandach:

We never noticed that.

Chris Romeo:

Yeah, I know it's, it's, people don't know that about me. It's, I'm a bit of a wallflower.

Izar Tarandach:

Every time we learn something new. Yeah.

Chris Romeo:

but I mean, take your stand. Don't use it as a sales technique at the end. Come on. That was, that was, I mean, you didn't,

Izar Tarandach:

Nah, come on, come on, come on, come on. It's, it's today's marketing. Besides, who, knows? An LLM might have written this. But,

Chris Romeo:

a good point. That's a

Izar Tarandach:

you know?

Chris Romeo:

So, I mean, I don't know. I mean, you wanted to talk about the Microsoft threat modeling tool. Let's, let's

Matt Coles:

I want to, I want to bring it up because he highlights it as the reason why STRIDE sucks, which again, let's reinforce Microsoft Threat Modeling Tool implements STRIDE. It is not STRIDE.

Chris Romeo:

Hmm.

Matt Coles:

More importantly, it implements per interaction or per element threat detection using a threat library, and by default, it uses the STRIDE threat library. Now, and I guess I'll just throw it out there, I know you guys probably don't agree with me by saying STRIDE is a threat library. Ineffective it is, it's a constrained set of threats that we're looking for. Those threats

Chris Romeo:

yeah, I don't have a problem with that description. Yeah, I think that's

Matt Coles:

Um, and so, um, but the Microsoft Threat Modeling tool is both the It is both, in my opinion, was the best thing to happen to threat modeling and one of the worst things to happen to threat modeling.

Izar Tarandach:

Wow, yeah, yeah.

Matt Coles:

the very least, it jump started the whole discussion on threat modeling and provided an easy way for people to get started. On the other hand, It provided, it provided an easy to use tool that was very hamstrung in its capability and people went full, full tilt on it and, and got locked into it.

Izar Tarandach:

On the third hand, we are still using it.

Matt Coles:

we're still using it. So, so it has, it has value because it does what it does pretty well. And there's only a handful of other tools out there that are free. I mean, there's some commercial tools, obviously, uh, but there's some, but there's very few free tools that do what it does. Um, It's hard to like, there's a lot of challenges with the, with the Microsoft online tool today. At the very least the rule set and the default rule set. So the default, the default rule set is not simply spoofing, tampering, repudiation, et cetera. It's all the possible combinations of those things for all the objects that are defined in that, which of course is influenced by Microsoft's SDL program and all of the things that they have to have to cover. And so

Chris Romeo:

you think they use it still?

Matt Coles:

I think that.

Izar Tarandach:

Some people, some people still jumped into it,

Chris Romeo:

Do they

Matt Coles:

Yeah, I think that they do.

Izar Tarandach:

Which, in light of the news this week, is scary by itself, but let's not go there this week.

Matt Coles:

Well, I guess the question would be how much is Copilot, for instance, going to

Izar Tarandach:

but, Matt, the, the, the thing that I'm hearing is it's a one legged spider, it's not going to, to put up a web, but you know what, it's good for what it does. I mean.

Chris Romeo:

Well, it was good. It was good historically, right?

Izar Tarandach:

No, I think that still today,

Chris Romeo:

It, let me, let me throw it to you this way. Is threat modeling as popular today if there was never a Microsoft threat modeling tool?

Izar Tarandach:

okay,

Matt Coles:

if, oh, go ahead. Yeah, what's your thought? Because I, I have an

Izar Tarandach:

I think that even today, okay, if the pointy haired person comes to a developer and says, we need to threat model, figure it out. That one person sitting in front of one desktop using one tool could get into the threat modeling tool and the Microsoft threat modeling tool and get something out of it. But they are going to.

Chris Romeo:

I want to go

Izar Tarandach:

Yeah, no, no, no, no, wait, wait, wait, they are going, even historically, they are going to fall out of the bounds of the tool very, very quick, right?

Matt Coles:

unless they don't know that they are, unless they don't know that they

Izar Tarandach:

no, no, no, it's going to, it's going to get ungainly very, very quick,

Matt Coles:

I guess what I mean is if they don't know anything beyond the tool, They won't know that there's more out there, right? There's no opportunity for

Izar Tarandach:

True, but, but, but they're going to start carping about it very quick. and that's going to lead them in a journey of discovery of what else is out there, right? What I mean is, back back the day when I gave the tool to someone and said, here, figure this out or, or let this help you, it was a very short period of time until they came back to me and said, I can't continue using this because of A, B, C, D, E. Where A, B, C, D, E usually was scaling, speed, quality of threats, and the fact that sometimes it doesn't load the thing that you just saved 15 minutes ago.

Matt Coles:

Minor problem.

Izar Tarandach:

True story, true story.

Chris Romeo:

Yeah, yeah, but what I'm saying though is, a lot of people picked up threat modeling as a result of the Microsoft Threat Modeling tool, who didn't have Izar as their coach inside of their company to enlighten them. Like I remember, do you remember the Microsoft Threat Modeling tool when you had to have Visio installed?

Izar Tarandach:

Oh gosh, yeah,

Chris Romeo:

it to make it work. Like, I mean, I remember the initial versions of this thing, but my, my premise or my hypothesis here is that the Microsoft threat modeling tool did move our industry forward more than if we had not had it, it definitely moved us further afield than it would have if we did, if it didn't exist. Now, was it perfect? Never. Do I love it? No. But was it a part of our threat modeling history?

Izar Tarandach:

Yes,

Chris Romeo:

part of it? Yes. It did move, it did move

Matt Coles:

it's And it spun off the creation of tools like the OWASP ThreatDragon, which tried to provide an alternative to it,

Izar Tarandach:

yep,

Matt Coles:

And it had some capabilities that the Microsoft Flatman tool still doesn't have. Um, but it didn't get the same level of traction, probably also because, you know, Microsoft was very aggressive with pushing their SDL program, and of course all their guidance points to that tool. They built one specifically for Azure cloud services and whatnot, and so there was a lot of traction. Microsoft Mechanics You know, they did a, they did a good, they did a good job marketing it

Chris Romeo:

Okay.

Matt Coles:

and, and, but to some extent, and again, this is where it's also the most, one of the more dangerous tools, uh, in this industry. Uh, or worse, maybe a bad thing that happened is once you're in the Microsoft Owen tool, it's really hard to get out of the Microsoft threat modeling tool.

Izar Tarandach:

yep.

Matt Coles:

You know, and, and there's some fun, fun, I mean, oh my God, the list of limitations around things like model sharing, even cross model analysis within the tool itself, you know, so it's not, it's not DevRot,

Chris Romeo:

It's not something we would recommend. Like, none of us are recommending it today. We're not telling anybody, go, go grab the Microsoft threat modeling tool. So that wasn't my, my point wasn't that it's valuable today. My point was it was a value. It's been valuable throughout our history as a community.

Matt Coles:

And so, you know, if the, if the author here is saying, is it making the equivalency that, that, Oh, Microsoft's Redline tool is STRIDE, and therefore STRIDE is bad because look at all these threats I get. And I'm forced to make them, mark them all ignore just to make security happy. There's a lot of stuff coming together. There's a lot to unpack in that statement. It's not STRIDE sucks. It's your organization processes are broken or, or, or over onerous. And you're using the wrong tool for the, for what you're, what you need to do.

Chris Romeo:

Yeah.

Izar Tarandach:

by the way, use

Matt Coles:

you considered, and have you considered something else short of an LLM?

Chris Romeo:

Yeah. So to, I want to kind of wrap this, I want to land the plane here, wrap this conversation up, referencing two things that, one thing that each of you said, because I think this is really our ultimate answer to people that are, that are struggling with this issue. One is read, read or reread the threat modeling manifesto. As a reminder, you won't find the, the, the mnemonic STRIDE. in the Threat Modeling Manifesto on purpose, because that wasn't the, that isn't really the essence of threat modeling. It is, we, I think it's a valuable piece forward, but in the Threat Modeling Manifesto, you will find the essence of threat modeling. That's the best way I can describe it. The second thing is the threat modeling capabilities. We've pointed a number at this article and shown a number of different things that are just bad threat modeling program practice. These are not ways, this is not a way we would, we would recommend anybody roll out a threat modeling program today. But, as it turns out, Izar, Matt, Chris, and 12 or so of our closest friends put together a document called Threat Modeling Capabilities where we described the, the different capabilities of a high performing threat modeling program. program. And you can take those capabilities and use those to, to start a program, to improve a program, to assess a program. There's a lot of different ways you can use it. And no, it's not maturity. Just for those people at home that thought it was a maturity standard. It's not. Matt was correct. I was going to start twitching at me in a second. Um, but, but, but my point is I wanted to, I just wanted to land the plane with this couple of positive references. So if you've heard this whole conversation and you're like, I don't get why everybody's arguing about this. Go read the manifesto, go read the capabilities, use those as positive steps forward to make a kick butt threat modeling program, use STRIDE if you want to, because people like us think it's still valuable in our

Matt Coles:

Use the Microsoft domain tool if you want,

Chris Romeo:

If you find a

Matt Coles:

know why you're, know why you're, know why you're using it.

Chris Romeo:

Yeah, yeah.

Izar Tarandach:

as as you find value, Chris is right on the money. As soon as you, if you get value out of it, keep doing it and keep improving on it. If you don't, find something else. There's a lot of stuff out there to help you. you.

Chris Romeo:

And so with that, we'll wrap up this episode of the security table and, uh, tune in again soon for us to pontificate for 15 or 30 minutes on somebody else's article, but it'll be a good issue. We won't just pick on an article. There's always

Izar Tarandach:

And nothing broke our STRIDE.

Chris Romeo:

Nothing broke our STRIDE. All right. Thanks.

People on this episode

Podcasts we love

Check out these other fine podcasts recommended by us, not an algorithm.

The Application Security Podcast Artwork

The Application Security Podcast

Chris Romeo and Robert Hurlbut