Peter John Torr

Demystifying the threat modeling process

In todays hostile online environment, software must be designed to withstand malicious attacks of all kinds. Unfortunately, even security-conscious products can fall prey when designers fail to understand the threats their software faces or the ways in which adversaries might try to attack it. To better understand a products threat environment and defend against potential attacks, Microsoft uses threat modeling, which should be treated like any other part of the design and specification process. In fact, singling it out as a special activity performed outside the normal design process actually detracts from its importance to the overall development life cycle. We must consider security needs throughout the design process, just as we do with performance, usability, localizability, serviceability, or any other facet.

Checking threat modeling data flow diagrams for implementation conformance and security

Threat modeling is a lightweight approach to reason about application security and uses Data Flow Diagrams (DFDs) with security annotations. We extended Reflexion Models to check the conformance of an as-designed DFD with an approximation of the as-built DFD obtained from the implementation. We also designed a set of properties and an analysis to help novice designers think about security threats such as spoofing, tampering and information disclosure.