Threat Modeling – Sanity Check List


Hi, I am Sagar Joshi and I work with the ACE Services Team.

There is a lot of awareness building around TAM – Threat Analysis and Modeling tool developed by ACE. I have come across practitioners from various disciplines who want to start doing threat modeling to get an idea about the possible threat to their system. To begin with threat modeling using TAM appears to be very simple and straight forward process; right from tool download and installation to its usage. This apparently simple and effective process does warrant certain care and due diligence in order to build a good threat model. Some of the considerations for effective threat modeling are as follows:

1. Ideally person with application architect/lead developer role is expected to model the threats

2. It is vitally important to have access to people and information pertaining to all aspects of the application

3. Based on your understanding of application environment populate attack library with attacks and relevant countermeasures and relevancies

4. Discuss the production environment configuration with appropriate teams; many times development teams do not have sufficient information regarding production environments

5. Use security principles such as usage of least privilege , reduction of surface area etc to verify assumptions and information as provided by the team

6. Use cases should cover variety of possible actions that an application user or system user could perform

7. Components should have appropriate relevancies identified

8. Service roles performing invoking certain actions across layers of application need to have corresponding identity defined

9. Use analytics to check completeness/ coverage of various possibilities of accessing data elements

10. Seek risk response from the business users/ stake holders

Sagar Joshi

Senior Security Consultant
ACE Services
sagarj at microsoft dot com