Introducing the First Virtual Conference for Product Security - Left to Our Own Devices: The Conference.
Introducing the First Virtual Conference for Product Security - Left to Our Own Devices: The Conference.

How Video Games and Star Wars Teach Threat Modeling with Adam Shostack

How Video Games and Star Wars Teach Threat Modeling with Adam Shostack

This article is based on Adam Shostack’s interview on the Left to Our Own Devices podcast.

 

Adam Shostack, is a threat modeling expert, pioneer of the CVE standards, author of  “What Every Engineer Should Learn From Star Wars,” advisor,  game designer, and lecturer. When Adam realized his work affects people’s lives and data and the importance of the ability to “magically” anticipate what can go wrong in surgery rooms, he was hooked.

Through his love of game design and Star Wars, Adam was able to simplify the complexity of threat modeling with a unified, simple standard.

The most common gaps and mistakes in threat modeling training 

“The biggest gaps in cybersecurity concepts come from forgetting about basics,” said Adam. One of the primary tools we use when we threat model is a monic called STRIDE- spoofing,  tampering,  repudiation,  information disclosure, denial of service, and elevation of privilege. 

When we consider how someone can spoof, you’re actually asking how someone can tamper. STRIDE helps us get a structured way of thinking about what can go wrong.

Adam explains that the challenge people have is understanding where boundaries happen in the digital world. We have this instinctual understanding of the physical world. where the front door or the gate in my fence is a boundary. Systems have layers of boundaries. Where usually you have a gate, a front door, and an office filing cabinet that locks, digital systems don’t have the same physical barriers. Yet, people have trouble analogizing these layers to their technological systems.

What we can learn about cyber security from Star Wars 

Adam has been using Star Wars to illustrate security concepts for 15 years. It started with a joke he made that the best way to understand the security principles of Saltzer and Schroeder, which is a fundamental paper in cybersecurity, is to use Star Wars.

Star Wars gives us a fun and accessible way to understand complex ideas in cybersecurity. Adam loves using Star Wars because everyone has seen the core three movies, which his book primarily uses.

The book ‘What Every Engineer Should Learn from Star Wars’ starts with a question ”How does R2D2 know who Obi-One Kenobi is so that he plays the hologram for Obi one, but not for Luke?” This question gives us an introduction to the idea of spoofing and authenticity. We can continue to bend Kenobi tampering with a power converter or look at each of the threats in the context of a familiar, accessible story and use that to get into the technical meat in a way that’s both fun and memorable.

He learned something else from designing video games.

The relationship between ability and challenge in video games and mastering threat modeling

Games have an introduction level where you learn how to walk around and shoot the gun because it is crucial to balance challenge and ability. 

When people enter a flow where they enjoy what they’re doing, they are open to learning. A considerable challenge and low ability get people anxious. High ability and a low challenge get boring. A good balance between challenge and availability is the sweet spot that helps people evolve from challenge to competence. 

Games start at a basic level. Learn how to walk before you collect new tools and learn how to use them. With every new reward, players are motivated to continue. Slowly adding more information that allows the player to take on bigger challenges.

The Star Wars books do the same. They give a baseline understanding of cybersecurity through familiar storylines and characters. Plus, people learn while playing games. There’s a better chance to win as you gain more experience and understanding of the different threat levels and your abilities. But how do you prioritize?

How to simply prioritize CVE by modern cybersecurity standards

One of the key questions during this interview surrounded what was learned from building the CVE standard and how it became an integral part of modern cybersecurity.

Adam shared he had learned two lessons: The first lesson is the value of simplicity. There were a lot of people who wanted CVE to be a database that contained a lot more fields. But the thing is, the simplicity of the standard allowed people to discover more uses for it.

“I think that’s a very important lesson for SBOM. Many people ask about reachability or the code not getting called, or we want to add information about vulnerabilities. I’m not close enough to the SBOM world to have a strong opinion about these questions,” said Adam.

The second thing that was crucial to the success of CVE is it enables conversation between two communities: the security people who were aware of vulnerabilities and the operations people who needed to patch things.

That conversation was the first crucial use of CVE that drove it to become a standard.  The idea is that CVE would be a way to communicate between the Vulnerable databases.

It turned out that communication with a broader community was crucial. SBOM is where we start talking between producers and consumers of software and even more about the supply chains. 

It’s challenging to balance simplicity and expressiveness for any new standard. It remains to be seen if it is simple and expressive enough. In an ever-changing landscape, what can product security teams do to improve their threat modeling efforts?

Helping new teams overcome the biggest challenges of product security 

One of the biggest challenges for cybersecurity teams of device manufacturers is embedding cybersecurity measures early in the development process. Adam Shostack shared some tips and tricks for a new product security team.

“So the first thing is it can and should be easy. You want to give people baby steps to allow them to feel they are being successful. That’s how you keep them invested,” said Adam.

The second tip Adam shared is staying focused and asking these questions: What are we working on? What can go wrong? What are we going to do about it? Did we do a good job? 

By asking those questions during threat modeling, you can get into a lot of detail about how to design more secure products and a better understanding of what the security processes will look like. Staying focused on the goal and being reminded of the outcome is challenging, but there will always be video games and Start Wars to help us better analogize these difficult subjects.