Last month I gave a talk at SIRAcon 2016, “STPA-Sec: stealing from safety engineering to improve threat modeling.” The talk was well received, and I want to thank both the organizers and attendees for an excellent conference.
The talk was the result of my attendance at the 2016 STAMP workshop. STAMP includes a couple of frameworks that are used within the safety profession, both for hazard analysis (STPA) and accident analysis (CAST). There are a handful of security researchers involved with the group (mainly from MIT Lincoln Labs) and they have developed a version that can be applied to security, STPA-Sec.
STPA has been shown to identify hazards more efficiently and effectively than traditional safety methods such as fault tree analysis, identifying more hazards in a shorter period of time, and I believe STPA-Sec can do the same for information risk analysis, by more effectively identifying and communicating risks than existing threat modeling techniques. Even so, STPA-Sec is still a work in progress, and I found gaps in the model when applying it to a simple banking application: it does not directly address confidentiality as that isn’t generally a safety concern.
Update: I gave a talk at SIRAcon 2016 on applying STPA/STPA-Sec to security threat modeling!
Beginning in 2012, MIT has held an annual STAMP (Systems-Theoretic Accident Model and Processes) / STPA (STAMP-Based Process Analysis) workshop to discuss systems safety engineering practices developed by Nancy Leveson detailed in her book, “Engineering a Safer World.” Interestingly, information security practitioners have participated in 3 of the past 4 workshops, beginning in 2012. STPA-Sec, developed by Nancy Leveson and Bill Young, extends STPA to security, and was originally presented in the 2014 STAMP/STPA workshop.
The Call for Participation for the 2016 STAMP workshop is open! Details are available on the PSAS (Partnership for a Systems Approach to Safety) website, the due date is December 10. The workshop itself will be held at MIT March 21-24, with no registration fee. I missed the 2015 workshop but hope to attend in 2016; I’m interested in learning more about STPA-Sec, which seems to be a promising alternative to existing infosec threat modeling approaches.
Three years in the making, information-safety.org is finally launching. As I have studied and learned more about safety, I’ve become increasingly convinced that the Information Security world can benefit from safety risk management methods. I’ve started this site to both share what I’m learning and to invite others to join in the search.
We’re hosted on GitHub, to encourage collaboration and continuous development. You can currently read more about information safety, peruse a collection of resources on safety risk management, or join the LinkedIn group.