14 DAY TRIAL // Microsoft provides the first line of defense to its software, but at the same time, the company is the first attacker testing the integrity of the code it produces against attacks. This is done via threat modeling. Essentially, threat modeling is a structured strategy set up in order to identify the inherent risks associated with system security, evaluate them and then introduce mitigations into the equation. What you have to understand is the difference between a bug and a threat.
Microsoft, and additional software developers, will be able to completely resolve or remove a vulnerability, but a threat is like a diamond, it lasts forever, as it cannot be fixed, only mitigated to the point where an exploit would not be able to cause more than insignificant results. Threat modeling is also thinking like the attacker does, and not as a software developer.
"As each team starts a new product cycle, they have to decide how much time to spend on the tasks that are involved in security. There's competition for the time and attention of various people within a product team. Human nature is that if a process is easy or rewarding, people will spend time on it. If it's not, they'll do as little of it as they can get away with. So the process evolves, because we want to be aligned with what our product groups and customers want", revealed Adam Shostack, Program Manager in Microsoft's Security Engineering group.
With threat modeling, the Redmond company is focusing on the attacks it is trying to stop, rather than on the actual attackers. This is an approach that somewhat differentiates Microsoft from other software developers that also apply threat modeling. But still, one of the main reasons for the poor standard of security related in the past with Microsoft software is the poor implementation of threat modeling.
"I want to be really clear that I'm not critiquing the people who have been threat modeling, or their work. A lot of people have put a tremendous amount of work in, and gotten some good results. There are all sorts of issues that our customers will never experience because of that work. I am critiquing the processes, saying we can do better, in places we are doing better, and I intend to ensure we continue to do better", Shostack explained.
All the teams involved in the development of a software product participate in threat modeling at Microsoft, in contrast to having a central group just come up with threat models. This marks the evolution of threat modeling, as all the developers involved in building a product are conscious of the security that has to make its way into it.
"The cost is that we have to be very prescriptive in how we advise people to approach the problem. Some people are great at "think like an attacker," but others have trouble. Even for the people who are good at it, putting a process in place is great for coverage, assurance and reproducibility. But the experts don't expose the cracks in a process in the same way as asking everyone to participate", Shostack added.