Affiliation:
1. School of Computer Science, University of Bristol Bristol UK
2. Computr Laboratory, University of Cambridge Cambridge UK
3. School of Informatics, University of Edinburgh Edinburgh UK
Abstract
AbstractThreat modeling is one of the foundations of secure systems engineering and must take heed of the context within which systems operate. In this work, we explore the extent to which real‐world systems engineering reflects a changing threat context. We examine the desktop clients of six widely used end‐to‐end‐encrypted mobile messaging applications to understand the extent to which they adjusted their threat model over space (when enabling clients on new platforms, such as desktop clients) and time (as new threats emerged). We experimented with short‐lived adversarial access against these desktop clients and analyzed the results using two popular threat elicitation frameworks, STRIDE and LINDDUN. The results demonstrate that system designers need to track threats in the evolving context within which systems operate and, more importantly, mitigate them by rescoping trust boundaries so that they remain consistent with administrative boundaries. A nuanced understanding of the relationship between trust and administration is vital for robust security, including the provision of safe defaults.
Reference46 articles.
1. The OWASP Foundation.OWASP secure coding practices quick reference guide.https://owasp.org/www‐pdf‐archive/OWASP_SCP_Quick_Reference_Guide_v2.pdf
2. SAFECode.Practical security stories and security tasks for agile development environments.http://safecode.org/wp‐content/uploads/2018/01/SAFECode_Agile_Dev_Security0712.pdf
3. Microsoft.Secure DevOps.https://www.microsoft.com/en‐us/securityengineering/devsecops
4. A privacy threat analysis framework: supporting the elicitation and fulfillment of privacy requirements