An enterprising British security professional has won NCC Group’s £10,000 ($16,000) ‘Cyber 10K’ prize after proposing a security tool designed to overcome the problems that have held back application threat modelling among developers.
Threat modelling is supposed to be an important way for developers to understand where weak points might lie in their applications when used under real world conditions. Unfortunately, the manual and standalone nature of these tools means that they often end up being ignored and allowed to go to seed as software moves on.
The solution proposed by security developer Ian Peters is Minerva (from the Roman goddess of wisdom), really a system that turns threat modelling functions into a centralised, cloud-based system with versioning and the ability to generate all-important documentation.
Peters’ idea was ambitious enough to incorporate different types of threat input, including ‘top-down’ models created manually and bottom-up data input from the scanning of source code for flaws, binaries or whole systems.
“Threat modelling is a way of looking at a product and saying ‘how could we attack this and what are the problems that need to be fixed’,” said Peters.
Once developers understand where these chinks in the armour are located they can take account of them when building and eventually changing the application.
“The whole point of Minerva is to professionalise threat modelling,” said Peters whose career has taken in GCHQ’s CESG, and consultancy work for Microsoft and BlackBerry. During this time he was repeatedly frustrated by the amount of time spent creating threat models that ended up not being used.
“The next target is to make it useable through open source projects through partnerships. Developers who work for small and large companies should be able to benefit from it,” said Peters.
The prize was won on the basis of a conceptual plan but he had started working on alpha software that would, he hoped, bear fruit by November. A version 1.0 could then appear in the first half of next year.
The attention of NCC Group had given him support from its engineers with the possibility of testing the tool later in a live environment.
Peters’ more technical explanation of his system can be seen in a YouTube video he made.
“We had some high quality entries, but Ian’s really stood out from the rest. His innovative approach to a historically tricky discipline could make a real change to how an essential element of security is tackled by business,” said NCC Group CEO, Rob Cotton.
“We spend too much time as an industry in a defensive posture, trying to keep the cyber threat at bay. One of the best ways to do this is through innovative thinking, and I’m buoyed by the fact that Cyber 10K has this year led to what could be a significant improvement.”