Microsoft has made a little game of threat modeling, with details here. The idea is that by printing particular scenarios on cards and creating a competition to figure out how each scenario can be applied to an application model a development team will be reasonably effective at finding threats (I would add that if you put in some prize people will be extra competitive). Having looked through the deck they do a good job of enumerating common scenarios for each stride element – it isn’t exhaustive, but it covers a good deal of ground and should provide good guidance to product staff that are not accustomed to thinking about attack scenarios. It’s a clever way to approach threat modeling with folks that are probably not well versed in it.

That said, a couple comments -
• The “Instructions 2″ Elevation of Privilege Variants offer some suggestions I think should be in the core rules, specifically that each player can “riff” off of a card played by another by suggesting additional ways a threat could be applied and get an additional point for each new valid scenario. As soon as I watched the video in the link above explaining the game the first flaw in the game I thought of was that only one person is really considering how a given threat might be applicable. Anything they miss won’t be necessarily documented. By allowing other players to get points by also considering a threat and contributing possible attack scenarios it increases the potential analytical coverage of the application.

• Like the more mundane threat modeling process the diagram of the application is incredibly important. A diagram that doesn’t model all of the data flows is going to cause people to miss threats. A diagram that is too high level, or abstracts crucial details (for example a series of components collapsed into one entity, and as a result hides a trust boundry), is going to be a handicap. A diagram too detailed, that shows unnecessary elements, is also going to be a handicap because it presents more information than humans are good at tackling at any given point. The application diagram is the most critical part of the threat modeling process and whether you use the game or the recent threat modeling tool (which is so much better than the first gen tool I used at MS that pulled in DREAD, risk trees, etc) or have a hack session on a whiteboard, if you don’t draw a good application diagram you are going to miss threats. What I would love to see MS do is release training videos specifically trying to provide guidance on the creation of data flow diagrams.

• and yet again I am disappointed by Microsoft not trying to leverage their multiple platforms in some semblence of synergy. Just when WinMo 7 looked to finally tie the xbox, zune, and phone together, when it looked like MS finally got it, they go and do a stunt like this. Paper cards when you have the best online multiplayer system in the world Microsoft? Really? This should really be a free download on xbox live arcade, with achievements and avatar prizes. Adam, if you are reading this, drop me an email. I can put you in contact with some folks in xbox – my old manager works there now, as does his old manager. You can get this done.

Anyway, for those of you looking to get threat modeling in your organization (and you should – it is the best methodology I have found for doing design level security analysis) this is a good starting point. Apple, now that you have hired Window Snyder and may finally be taking security seriously, you might want to check this game out, even if Microsoft made it. It is released under a creative commons license, so you could even make it into an iPad game if that is what it takes to get you to finally threat model Quicktime.

~ Joshbw