In this episode, we discuss the four-question framework for threat modeling with its creator, Adam Shostack. We dive deep into the meaning and purpose of each question and how they simplify the threat modeling process. The four questions are: 1) What are we working on? 2) What can go wrong? 3) What are we going to do about it? 4) Did we do a good job?
Adam explains that these questions are not a methodology but a foundation for a more practical approach to threat modeling. We also discuss the importance of retrospectives, evolving the framework, and how it can be applied in various situations. Lean into the four questions, and you might become a threat modeling Jedi.
Welcome to Smart Threat Modeling. Devici makes threat modeling simple, actionable, and scalable. Identify and deal with threats faster than ever. Build three free models and collaborate with up to ten people in our Free Forever plan. Get started at devici.com and threat model for free! Smart threat modeling for development teams.
Episode Transcript
If you've ever heard the wordsthreat modeling, you've probably
heard of Adam Shostack.
In Threat modeling.
Adam is a single name likePrince or Elvis.
He's the first person I'm awareof that brought threat modeling
to tech companies during histenure at Microsoft.
Adam's famous for many thingswithin the world of threat
modeling, but we'll focus on hisfour question framework about
(00:55):
threat modeling.
Who better to explain theframework than Adam himself?
Adam Shostack (01:02):
I think of the four questions as a framework.
In fact, I call them the fourquestion framework for threat
modeling, I don't think of themas a methodology because we
don't have specific ways ofanswering them, and that's both
a strength and a weakness.
It's a strength in that itenables us to vary up the way we
(01:27):
answer them, and in varying themup, we can respond to the
situations in which we findourselves.
I created the four questionframework while I was at
Microsoft, and in fact, Icreated it as five questions\ I
was trying to simplify how wetalked about threat modeling.
T he first question aboutrequirements and goals has
(01:52):
fallen away.
similarly, The first way Irepresented it was in a loop, in
a hamster wheel of pain, torepresent that we threat model
at the beginning of a project,we threat model as we're
creating features, we threatmodel at the end.
The implication was that threatmodeling is a never ending
(02:15):
chore.
So I simplified it to be morelinear and I think that that's a
superior approach.
the four questions are, what arewe working on?
What can go wrong?
What are we going to do aboutit?
And did we do a good job?
Chris Romeo (02:33):
In the world of threat modeling, we often speak
of methodology.
Adam states that the fourquestion framework is not a
methodology, but it's essentialto understand why that is.
Some argue that methodology is areligious debate where their
approach is the only way to dothreat modeling.
Threat modeling methodology isan approach that a practitioner
(02:54):
uses to perform threat modeling,consisting of both a process and
a set of threats and mitigationsfor consideration.
Many different methodologiesexist and we'll unpack many of
them over time, but for now, youmay have heard of Stride or
Lindon, Pasta or No Dirt.
These all represent differentmethodologies for performing
(03:15):
threat modeling.
As Adam said, the four questionsare not a methodology.
The four questions are a way tosimplify threat modeling at its
core.
The four questions are simple.
Simple always equals moresecure.
When something is simple, it'seasier to explain to the people
that need to internalize it.
The four questions are a greatplace to start and are the
(03:36):
foundation for how most peopleapproach threat modeling.
Let's dive deeper into the fourquestions because it is the
easiest way to begin threatmodeling.
You don't have to remember amillion details or facts or
implement a 27 step process forsuccess.
The four questions are simple,by design.
They lead you down apath/process that generates a
(03:59):
meaningful outcome.
Adam Shostack (04:02):
The first question, what are we working on
is a scoping question, and ourfriend, Izar likes to say,
threat model.
Every story.
In which case, what are weworking on?
Is what are we working on inthis story?
Or if what we're working on is abig waterfall project, say
(04:25):
windows or a rocket ship, or aself-driving car, what we're
working on can be an overallquestion, but this question both
gives us scope, it gives us anintroduction to the project if
we're coming in as a consultant.
And it helps us gain a sharedunderstanding.
(04:46):
We tend to answer the question,what are we working on with
diagrams often created inconversation to help bring
people together in mutualunderstanding of the system that
they're working on.
Chris Romeo (05:05):
With this question, as Adam said, we're addressing
the scope of a given threatmodel.
We want to encourage people tothreat model whatever they are
personally working on.
So when a person answers thisquestion, they can narrow the
scope to a manageable size.
The Izar he mentions is ourfriend, Izar Tarandach, who
you'll hear from later in theseries.
(05:26):
Now for the second question,what can go wrong?
Adam Shostack (05:30):
The question of what can go wrong is both the
heart of threat modeling and thehardest part of threat modeling.
It's the core of the framework,and we answer it either from
simply asking what can go wrong,or we can use structures.
We can use things like stride orkill chains to help us answer
(05:54):
the question of what can gowrong.
And we do that to give usrepeatability, which is a great
property, but it's not anessential property.
When I say it's the hardestpart, I wanna mention here, if I
may, my new book.
Threats (06:11):
What Every Engineer Should Learn From Star Wars is
an attempt to share and todevelop common answers.
What are the norms that everyengineer should know?
Just subtitle of the book isreally an essential part of how
(06:32):
we get to that consistency, andso I'm really pleased with it.
And hope people like it.
The other thing I wanna mentionabout what can go wrong is just
asking that question can beincredibly powerful.
Making space for people toexpress the things about which
they worry.
(06:53):
This can be the evilbrainstorming side of things
that our friend Tanya Jancatalks about.
This can be the use of,fortunately, unfortunately,
where I say, fortunately, we'veencrypted that data and you say,
unfortunately, the key is storedon the local machine.
(07:13):
And I say, fortunately, we'veset permissions on it.
And you say, unfortunately,they're world readable.
And we can even just use thequestion of what can go wrong
and encourage people to speak,make their answers valid, tell
them we appreciate hearing them.
(07:33):
That's really powerful.
Chris Romeo (07:37):
What can go wrong is not prescribing a particular
methodology but directing us tolist the threats regardless of
the source, as Adam states, aswe document it in the threat
modeling manifesto, threatmodeling is both art and
science.
Evil brainstorming representsthe creative side of threat
modeling.
On to the third question.
Adam Shostack (07:59):
So the third question of"what are we gonna do
about it?" ranges from we'regonna develop controls, we're
gonna develop features that makethese threats harder to exploit,
or we're gonna deploy controls.
Technologies, products,processes that help us defend
(08:20):
our systems.
And when it's hard to develop ordeploy controls, we can go
towards risk management, wherewe can eliminate, accept, or
transfer risk.
And I think the relationshipbetween a risk and a threat is a
risk is a quantified threat,where we start to focus on
(08:42):
likelihood and impact to help usdecide between the various ways
in which we do risk managementbecause the controls are
difficult to develop, deploy,operate, make the system
unusable, et cetera.
Chris Romeo (09:00):
Mitigations are the key value driver of threat
modeling.
Without mitigations, we'rewasting time, dreaming up
threats that will never beresolved.
Mitigations dictate the positivesecurity change that occurs
because of discovering thethreats.
Mitigations require.
Follow up to determine if anyfixes are in place.
Adam Shostack (09:20):
So the final question in the four question
framework is, did we do a goodjob?
And we can start this at a verymechanical level.
Do we have a diagram?
Do we have a list of threats,which is appropriate for the way
in which we're engaged in thesethings?
(09:40):
We can answer it at asatisfaction level.
Would you recommend threatmodeling to a colleague?
And if you would, great.
And if not, there's probably anissue and we can answer it
retrospectively.
Did our pen test do better thistime than it did previously?
Chris Romeo (10:01):
We want to use retrospectives to pinpoint ways
to improve our threat modelingprocess, methodology, or tools.
The key to long-term securityimprovement is not being afraid
of asking for feedback.
We talk about this often in theDevOps world.
Craving actionable feedback andblameless retrospective.
The same applies to the world ofthreat modeling.
(10:22):
Before I could wrap this up, Ihad to understand Adam's
thoughts on the future of thefour question framework.
Where will it go in the future?
Adam Shostack (10:31):
All right.
So do I see any evolution to thefour questions?
No, but that's the thing aboutevolution is it surprises you.
When we were creating themanifesto, the team argued for
did we do a good enough job, andmade that case.
(10:51):
If I had foreseen that I wouldhave evolved it.
So another thing that I did iswhen I started with the four
questions, I would say, what areyou working on?
It was a consulting approach.
It was an external approachrather than a collaborative
approach.
And I apologize to whoever madethe case that we should make it
(11:13):
"we" they made a strong case.
And so now, I talk about thefour questions in terms of what
are we working on, what are wegonna do about it?
Chris Romeo (11:23):
The four question framework for threat modeling is
a foundational approach.
We see many differentorganizations building their
threat modeling programs usingthis approach.
The reason it's so successful issimple.
The method is simple.
By remembering four simplequestions, you can threat model
anything.
So give it a try next timeyou're standing in the security
(11:44):
line at the airport.
But a tip from my experience.
Don't share the results withthem in real time.
They may not share the samesense of humor that you do.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com
The Burden
The Burden is a documentary series that takes listeners into the hidden places where justice is done (and undone). It dives deep into the lives of heroes and villains. And it focuses a spotlight on those who triumph even when the odds are against them. Season 5 - The Burden: Death & Deceit in Alliance On April Fools Day 1999, 26-year-old Yvonne Layne was found murdered in her Alliance, Ohio home. David Thorne, her ex-boyfriend and father of one of her children, was instantly a suspect. Another young man admitted to the murder, and David breathed a sigh of relief, until the confessed murderer fingered David; “He paid me to do it.” David was sentenced to life without parole. Two decades later, Pulitzer winner and podcast host, Maggie Freleng (Bone Valley Season 3: Graves County, Wrongful Conviction, Suave) launched a “live” investigation into David's conviction alongside Jason Baldwin (himself wrongfully convicted as a member of the West Memphis Three). Maggie had come to believe that the entire investigation of David was botched by the tiny local police department, or worse, covered up the real killer. Was Maggie correct? Was David’s claim of innocence credible? In Death and Deceit in Alliance, Maggie recounts the case that launched her career, and ultimately, “broke” her.” The results will shock the listener and reduce Maggie to tears and self-doubt. This is not your typical wrongful conviction story. In fact, it turns the genre on its head. It asks the question: What if our champions are foolish? Season 4 - The Burden: Get the Money and Run “Trying to murder my father, this was the thing that put me on the path.” That’s Joe Loya and that path was bank robbery. Bank, bank, bank, bank, bank. In season 4 of The Burden: Get the Money and Run, we hear from Joe who was once the most prolific bank robber in Southern California, and beyond. He used disguises, body doubles, proxies. He leaped over counters, grabbed the money and ran. Even as the FBI was closing in. It was a showdown between a daring bank robber, and a patient FBI agent. Joe was no ordinary bank robber. He was bright, articulate, charismatic, and driven by a dark rage that he summoned up at will. In seven episodes, Joe tells all: the what, the how… and the why. Including why he tried to murder his father. Season 3 - The Burden: Avenger Miriam Lewin is one of Argentina’s leading journalists today. At 19 years old, she was kidnapped off the streets of Buenos Aires for her political activism and thrown into a concentration camp. Thousands of her fellow inmates were executed, tossed alive from a cargo plane into the ocean. Miriam, along with a handful of others, will survive the camp. Then as a journalist, she will wage a decades long campaign to bring her tormentors to justice. Avenger is about one woman’s triumphant battle against unbelievable odds to survive torture, claim justice for the crimes done against her and others like her, and change the future of her country. Season 2 - The Burden: Empire on Blood Empire on Blood is set in the Bronx, NY, in the early 90s, when two young drug dealers ruled an intersection known as “The Corner on Blood.” The boss, Calvin Buari, lived large. He and a protege swore they would build an empire on blood. Then the relationship frayed and the protege accused Calvin of a double homicide which he claimed he didn’t do. But did he? Award-winning journalist Steve Fishman spent seven years to answer that question. This is the story of one man’s last chance to overturn his life sentence. He may prevail, but someone’s gotta pay. The Burden: Empire on Blood is the director’s cut of the true crime classic which reached #1 on the charts when it was first released half a dozen years ago. Season 1 - The Burden In the 1990s, Detective Louis N. Scarcella was legendary. In a city overrun by violent crime, he cracked the toughest cases and put away the worst criminals. “The Hulk” was his nickname. Then the story changed. Scarcella ran into a group of convicted murderers who all say they are innocent. They turned themselves into jailhouse-lawyers and in prison founded a lway firm. When they realized Scarcella helped put many of them away, they set their sights on taking him down. And with the help of a NY Times reporter they have a chance. For years, Scarcella insisted he did nothing wrong. But that’s all he’d say. Until we tracked Scarcella to a sauna in a Russian bathhouse, where he started to talk..and talk and talk. “The guilty have gone free,” he whispered. And then agreed to take us into the belly of the beast. Welcome to The Burden.