Threat modeling with teams is a process that requires visuals, interaction between team members and discussion and so lends itself to everyone being in a room together. This has been quite hard the last two years. It also doesn’t look to be getting any easier, so we should probably get used to it. Here’s how I’ve been doing it with several teams.

A bit of the history

To help get them started threat modeling their applications, I’ve been using a card game called Elevation of Privilege (EoP) remotely. I tried a few collaboration tools and methods of play, then I came up with a Miro template Threat Modeling with EoP. 

example 2

Miroverse Threat Modeling with EoP template

Teams have found this quite helpful in documenting their threat models. They can export them and save them alongside the code in their repo so they have a record of the model for the version of the application they’re designing. 

I imagine if you’re reading this on Adam’s site you’re already familiar with Elevation of Privilege, so I won’t go into the details of play here.

What you need to play?

You’ll need:

  • The requirements for what you’re building

  • An architecture (data flow) diagram which shows your trust boundaries (where ownership or access rights to the data change in the flow)

  • A neuro diverse group of people who know what they’re building.

How many people and who?

More than one and as many as needed. One pair of eyes is more likely to miss something, so if there are a few of you it works better.

When I said a neuro diverse group, by that I mean but don’t limit to

  • frontend or backend engineers

  • someone from QA

  • someone from product

  • an architect

People in different roles think differently, they may have different context and they/you don’t have to be technical (think the door is unlocked, I don’t need to be a locksmith to understand that). 

How to use the board

The board is split into 3 sections, section 1 contains some instructions for getting setup, section 2 a worked example and section 3 is where the team can model their architecture.

These are the steps to use the board:

  1. Create an architecture diagram

  2. Insert your diagram into each of the STRIDE/STRIPED sections of the board

  3. Lock all elements apart from the stickies

  4. select all the stickies and “bring to front” from the context menu

  5. Deal the cards (see below) and share with the players

  6. Start playing EoP with the 3 of Tampering

  7. Use the red sticky for the T3 card on the tampering section of the board, add your name and a description of the threat after the number

  8. You can also add existing mitigations or proposed mitigations with green or orange stickies respectively

  9. For cards not of the same suite, just grab their sticky and drag them over to the hand you’re currently playing.

Finshed the first hand, the winner chooses the next suite and everyone moves to the corresponding section of the board.

Ticket up the threats

If the Jira app is installed in the miro board, you can also create any tickets for mitigation work directly from the board so you don’t lose track of them.

This might require the administrator to configure the application link but then from the board it’s as easy as clicking on a sticky and then clicking the convert to Jira issue button on the context menu as seen below:

convert to Jira issue

This will open the modal dialog where you can fill out the details of the ticket and then click convert as in the below example:

convert to Jira issue dialog

Dealing the cards virtually

When playing remotely, you (the meeting organizer) might find the croupier app from Agile Stationery helpful, the app allows you to deal cards for “Elevation of Privilege” with(out) privacy, “Cornucopia” and “LINDDUN Go”.

I recommend you email each player their hand because if you don’t finish in one session, I guarantee in the second session someone won’t remember what cards they had.

Making it even more like being in the room

You might want to order the physical cards for each team member and get them sent out to their homes for playing the game. You can do that by going to https://agilestationery.co.uk who can even print them up with your company branding which is quite nice.

So now you are ready to play, you just need to put your diagram into each of the 6/7 sections of the board depending if you are playing the version with Privacy, give the players access to the board and play the game. There are instructions included in the template.

Hope you enjoy it