- These document enables you
identify,quantify, andaddressthe security risks associated with application. - Threat modeling looks at a system from a potential
attacker’s perspective, as opposed to a defender’s viewpoint - Threat modeling process can break down into 3 parts:
- Decompose the Application
- Determine and Rank Threats
- Determine Countermeasures and Mitigation
- basic understanding of the application
- how it interacts with external entities
- Creating use cases to understand how the application is used
- Identifying entry points to see where a potential attacker could interact with the application
- Identifying assets, i.e. items or areas that the attacker would be interested in
- Identifying trust levels that represent the access rights that the application will grant to external entities
Using a threat categorization is critical, such as:
- STRIDE
- Application Security Frame
- These provide threat categories like:
- Auditing & Logging
- Authentication
- Authorization
- Configuration Management
- Data Protection in Storage and Transit
- Data Validation
- Exception Management
- The Goal of the threat categorization is to help:
- Identify threats from
attackerperspective: STRIDE - Identify threats from
defensiveperspective: Application Security Frame - DFDs help identify potential threats from attacker's perspective such as:
- Data Sources
- Processes
- Data Flows
- Interactions with Users
- Identify threats from
vulnerability may be mitigated with implementation of a countermeasure. The risk mitigation strategy might involve evaluating these threats from the business impact they pose. Once the possible impact is identified, options for addressing the risk include:
Accept: decide that the business impact is acceptableEliminate: remove components that make the vulnerability possibleMitigate: add checks or controls that reduce the risk impact, or the chances of its occurrence