Dataflow diagram - how far do I need to drill down?

Question

I'm trying to create a DFD for a threat modeling exercise. How much detail should I get into?

The SDL Threat Modeling guidelines state that I know that my DFD needs more detail when there is still a trust boundary in the DFD. Suppose there is a trust boundary between the datastore A and process B. Since there's a trust boundary, I know the DFD is not detailed enough. How can I go deeper, deep enough that no trust boundary is left? If I drill deeper into the process B and decompose it into smaller parts, will it always be possible to eliminate the trust boundary?
I have CRUD Operations on a database in my dataflow diagram, do I need to create 4 distinct dataflows to accomodate the needs or can I mark the dataflow with "CRUD Operation"?

enter image description here

I don't understand what you are asking. When you say "However, there will always be.... entity?", are you asking a question, or are you making a claim? — D.W., Apr 15 '13 at 17:36
I have added an image to my question. I hope I can clearify my question: When I add more details to the elements of the data flow diagram do I dwelve deeper into the Processes and don't show the 'User','Commands' and 'Response' elements in the Level X DFD anymore? — theXs, Apr 15 '13 at 20:52
I still don't understand the sentence/question that says "However, there will always be...entity?". Is that a question? If so, what is the question? Is it a statement? If so, what is the statement, and where is the evidence for it? It is phrased as a statement, but with a question mark at the end, so it's hard for me to interpret what you're getting at with that part of the question. — D.W., Apr 16 '13 at 01:03
Let me rephrase the question :). Lets say there is a Trust Boundary between the datastore A and Process B. Now, the SDL Presentation states that I know the DFD is detailed enough if there is a no Trust Boundary in the DFD.
My question is how can I go deeper into other DFD level and omit the Trust Boundary. If I go deeper into the process B can I omit the Trust Boundary which is present on the more general level? — theXs, Apr 16 '13 at 07:37

score 3 · Accepted Answer · answered Mar 19 '16 at 16:17

1) I recommend starting with the diagram you have, and expanding it only when or if you find an ambiguity, a place where there's an additional boundary, where you have to ask "how does this work" to understand an attack or defense, etc.

I don't know what this refers to: "The SDL Threat Modeling guidelines state that I know that my DFD needs more detail when there is still a trust boundary in the DFD". I owned those guidelines for several years, and I don't think that they said that (while I was responsible.) Could you add a link?

2) Are permissions on each CRUD operation always the same? If you have to expand on them to clearly communicate how the software works, then a diagram that shows the separate operations is a helpful communication tool.

Fundamentally, the work you do is supposed to help you understand, communicate and analyze effectively. If there's work that someone ("the SDL TM guidelines") is telling you to do, and you don't think you need to do it, perhaps do a small experiment. Then either you'll be surprised, or discover that in that instance, you don't need to go a level deeper.

Saladin · Answer 2 · 2013-04-16T04:12:43.850

Let me try to explain you the DFD in different light; attack trees is a standard and common way of describing a threat. The tree ; depicts different stages that it requires for the threat to be realized, from programing relevance it works just like a tree data structure with parents nodes, child nodes all linked together under a certain context, the context of an attack instance. There are many examples of attack tree on the internet, depending upon the particular threat you want to analyze.

However, now for the question how far ? I say as far it is required to sufficiently realize all the stages that goes in the attack. I see for any DFD there would always be a set of limited inputs and set of transactions states it can go; when you have mapped them all, after that you just have to arrange your actors and trust boundary accordingly.

For e.g for eavesdropping threat analysis two actors must act ; a) listening on network b) comprising end nodes to achieve certain sniffing threat scenario.

Now, in DFD you can further drill down each of these cases as separate user/system interaction scenarios. Here you can write misuse scenarios as explained in OWASP testing guide v3.0

Hope it helps.

Attack trees are an way of modeling attacks, this is a question about the model of the software. — Adam Shostack, Mar 19 '16 at 16:11
You need both models, but one is a model of the software, the other is a model of the attacks. — Adam Shostack, Mar 21 '16 at 14:36
The semantic nature is correct there be difference in syntax. But translation should not be problem when a suitable example or model exists. — Saladin, Mar 22 '16 at 08:50

Dataflow diagram - how far do I need to drill down?

2 Answers2