Threat Model Updates

Threat Model Updates The architects and program managers need to review the threat models one more time. We know that it might seem like there has been a great deal of focus on threat models, but they are very important. As we write this chapter, Windows Vista starts its verification phase, in which threat models are reviewed to make sure that they are complete and correct. The beauty of doing this is that you can ascertain which areas the various component groups might have missed, if indeed they have missed anything. The critical portions of the threat model to look at are described in Chapter 9, "Stage 4: Risk Analysis." To recap, here are some of the authors' favorite things to look for in a threat model during the security push: Determine whether the data flow diagram (DFD) needs to be changed since its last review. Software design changes that happen between the design phase and verification phase should be reflected in the DFD and, hence, the threat model as a whole. Make sure all DFD elements are mapped to appropriate STRIDE threat categories. Look at all the entry points into the system. Make sure the list is complete and has not changed since the last review. Look at all the anonymous network-facing interfaces to the system. Should they be authenticated or restricted to a local subnet or list of trusted Internet Protocol (IP) addresses? Make sure all the sensitive data stores are correctly protected. This protection often includes an access control list (ACL) review. Make sure all data flows carrying security-sensitive data are adequately protected. This includes protection from disclosure (using encryption) and tamper detection (using message authentication codes or digital signatures).