Threat Modeling |

Threat modelling has a structured approach that is far more cost-efficient and effective than applying security features in a haphazard manner without knowing precisely what threats each feature is supposed to address. With a random “shotgun” approach to security, it is not possible to know when the application is “secure enough”, or the areas where the application is still vulnerable.

Threat modelling consists of understanding the adversary’s view of the system, characterising security strengths, and determining and investigating threats. Used effectively, threat modelling can find security strengths and weaknesses, discover vulnerabilities, can help shape the application design and reduce risks inline with your company’s security objectives.

The main objectives of threat modelling are to:

: Understand the threat profile of a system

: Shape application design to meet your organisation’s security objectives

: Discover vulnerabilities and make trade-offs during key engineering decisions

: Reduce risks of security issues arising during development and operations

AppSecure Labs’ approach to threat modelling involves gathering information on application design and functionality through scheduled meetings with development teams and through design documentation.

An application threat model involves the following phases:

Identify security objectives

Clear objectives help focus the threat modelling activity and determine how much effort to spend on subsequent steps. This can be aligned with company security policy or to meet compliance and legal requirements.

Create an application overview

Itemising an application’s important characteristics and actors to help identify relevant threats. Using simple diagrams and tables to document the architecture of an application, including subsystems, trust boundaries and data flow.

Decompose your application

Decompose the application architecture, including underlying network and host infrastructure design, to create a security profile of the application. The aim of the security profile is to uncover the vulnerabilities in the design, implementation and deployment configurations.

Identify threats

Identify threats relevant to the application scenario and context. Keeping the goals of an attacker in mind, and with the knowledge of architecture and potential vulnerabilities, identify the threats that could affect the application.

Identify vulnerabilities

Review and rate vulnerabilities in order to address the most significant threats first. The riskrating process weighs the probability of a threat against damage that could result should an attack occur.

The output from the threat-modelling process is a document for various members of the project development team. It allows them to clearly understand the threats that need to be addressed and the effective security countermeasures to address them.

Threat Modeling

“Until you understand the threats,

You cannot protect your applications against attacks.”

Understand the threat profile of a system

Shape application design to meet your organisation’s security objectives

Discover vulnerabilities and make trade-offs during key engineering decisions

Reduce risks of security issues arising during development and operations

Approach

Identify security objectives

Create an application overview

Decompose your application

Identify threats

Identify vulnerabilities

Deliverables

RT appsecurelabs: What are the most difficult challenges re #DevSecOps #DevSecCon #london #DevOps #AppSec https://t.co/lK8mYMbS2N

RT appsecurelabs: What are the most difficult challenges re #DevSecOps #DevSecCon #london #DevOps #AppSec https://t.co/LMBZ2OSnbS

RT appsecurelabs: Our company has a Cylex profile! Check it out, follow us, write reviews and get 20% off of your f… https://t.co/RXQu3r5BDb

RT @appsecurelabs: Our company has a Cylex profile! Check it out, follow us, write reviews and get 20% off of your first order. #AppSecureL…

RT @appsecurelabs: The nastiest ransomware, phishing and botnets of 2019 #CyberSecurity #CyberThreat #Ransomware #Phishing #Botnets #Info…

RT appsecurelabs: The nastiest ransomware, phishing and botnets of 2019 #CyberSecurity #CyberThreat #Ransomware… https://t.co/b2FPI4MH7U

RT appsecurelabs: Top 10 Container and Kubernetes Security Questions to Ask Your Team #AppSec #DevSecOps #Security… https://t.co/1YdWnbDEqA

The jobs posting for Senior Penetration Tester is now Live at: https://t.co/JpwR3WzW85 #infosec #pentest #security… https://t.co/XDyc0D4QqB

RT appsecurelabs: Attackers compromised Volusion's Google Cloud environment to load malicious skimmer code onto mor… https://t.co/eRnNYVuMnN

RT appsecurelabs: DevSecOps Easier Said Than Done #DevOps #DevSecOps #AppSec #InfoSec #Security #AppSecureLabs https://t.co/gfPX9Rsxtp

Connect with Us