Around 80% of the security bugs and defects are coded during the early stages of software development, often before even a single line of code has been written. Fixing security holes early in the software development life cycle is both more cost-effective and efficient than the traditional test and patch approach.
What Is Threat Modeling?
Threat modelling is a technique that can be used to identify threats, attacks, vulnerabilities, and countermeasures in the context of an application scenario. Threat modelling is a powerful tool that identifies, assesses and documents the highest risk areas in an application and ties them to known attacks and countermeasures. It enables us to understand a system’s threat profile by examining it through the eyes of an attacker. Having a deep understanding of the application’s business logic and design, and then modelling the threats, attack vectors can be significantly reduced before even coding a single line of the application. Techniques such as entry point identification, privilege boundaries and threat trees, can help identify strategies to mitigate potential threats to the application. Also, threat modelling is used extensively with existing applications to prioritize in-scope mechanisms for code review and application security testing.
Threat modelling helps to:
- Identify security objectives.
- Identify relevant threats.
- Identify relevant vulnerabilities and countermeasures.
qSEAp’s Methodology
qSEAp performs the following activities during a threat modelling:
- Congregate Information: Understand the application's use cases, business requirements, data types, technical design, and other information by interviewing key stakeholders and analyzing technical documents.
- Decompose the Application: Break the application out into user roles, data types, and hardware/software components used. A detailed understanding of the mechanics of the application makes it easier to uncover more relevant and more detailed threats.
- Identify relevant vulnerabilities and countermeasures.
- Create Data Flow Diagrams: Map out data flow between logical components at various levels of granularity. Identify Entry-Points, which are the starting points for understanding potential threats. This builds a strong knowledge of the application flow and serves as a base for understanding the root cause of vulnerabilities.
- Identify Threats: Identify threats and varying levels of risk relevant to the application scenario and context. This serves as a base to prioritize threats during the 'attack tree' phase.
- Understand the Threats: Understand the potential threats at an entry point by identifying any security-critical activities that occur and imagining what an adversary might do to attack or misuse the system.
- Categorize the Threats: Consider the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation Of Privilege) approach, and categorize the threats. Categorizing a threat is the first step toward effective mitigation.
- Identify Mitigation Strategies: Create a Threat Tree to determine how to mitigate the threats. For each of the leaf conditions, a possible mitigation strategy is identified.
- Use Cases: Outline the major use cases for the application and analyze each for potential threats to confidentiality, integrity, and availability.
- Attack Trees: Determine possible attacks for each attack vector outlined in the use case, prioritized by risk. Determine countermeasures for each attack and use this as either a basis for application design or as a checklist during penetration testing/source code review.
- Test: The threat model becomes a plan for penetration testing which investigates threats by directly attacking a system, in an acquainted or unacquainted approach.
Why Threat Modeling?
Threat Modeling identifies software security bugs before the software is even built, thus enabling software developers to prevent implementing insecure software. Threat modelling enables the development team to justify security features within a system or security practices for using the system to protect corporate assets.
Threat modelling helps in:
- Shaping the application design to meet the security objectives.
- Help make trade-offs during key engineering decisions.
- Reduce the risk of security issues arising during development and operations.
Customer Advantages
- Cost reduction through prioritization of other application security testing activities.
- Threat modelling allows architects and designers to evaluate the design of the application for vulnerabilities in the design phase.
- Threat modelling can be perceived as an asset, as it can be used in future releases to evaluate whether new security controls need to be put in place or whether existing controls are sufficient.