In this video, take a first pass at finding threats to the system.
- The second question in threat modeling is what can go wrong? Oh my, what can go wrong? Yeah, you could build your nuclear power plant next door to a spider farm or on an earthquake fault line. But hang on a minute. I'm not designing a nuclear power plant here, I'm building an ad server. I have a project scope right here and you know what? No nuclear power plants, no spider farms. But you know what could go wrong? Customer A might be able to upload content to customer B's campaign, so customer B is paying for customer A's ads.
That's sort of fun. The lawyers tell me I can't say fun, how about exciting? That's sort of exciting. Or my servers might get overwhelmed with traffic, which is cha-ching! Great, but what if they're so overwhelmed they failed to send packets to the billing server? What can go wrong? Is the key question in threat modeling and it can be hard to get it right. If you scope too wide, you worry about radioactive spiders.
And hey, I'm not saying, don't worry about radioactive spiders. I'm saying don't worry about them as part of this project because spiders, not on the diagram. It's important to scope properly and find the threats that you can deal with during this project or even during a given sprint. And because it's hard to get it right, there's a tool, a mnemonic to help answer the question, what can go wrong? Which focuses on the things that go wrong over and over across all sorts of systems.
The mnemonic his stride. It stands for spoofing, tampering, repudiation, information disclosure, denial of service and elevation of privilege. Failure to look for any one of these is an almost certain path to doom. Don't treat stride as a straitjacket, but as a guide. For example, stride might not help you realize that there is a new European regulation regarding what you can do with personal data, which might actually be relevant and worth flagging to a project manager.
Stride helps when there's uncertainty about where to look next. Answering the question, what can go wrong? Starts with a high level look at the diagram and continues through finding specific instances of each threat relevant to each box and line in the diagram. And sometimes as you do that, you'll find you're not looking at the most critical issues. You're finding things over which you have no control or even influence.
And so I'll draw a line on this diagram. So this is a trust boundary. It's where you and your customer meet. It's where different domains of responsibility within an .org delineate that responsibility. And the real definition, it's everywhere trust or privileges change. And so I labeled inside of it, RED 30, the name of our advertising agency.
We're going to focus our analysis of what can go wrong near or inside this boundary.