Threat Modeling |

Threat modelling has a structured approach that is far more cost-efficient and effective than applying security features in a haphazard manner without knowing precisely what threats each feature is supposed to address. With a random “shotgun” approach to security, it is not possible to know when the application is “secure enough”, or the areas where the application is still vulnerable.

Threat modelling consists of understanding the adversary’s view of the system, characterising security strengths, and determining and investigating threats. Used effectively, threat modelling can find security strengths and weaknesses, discover vulnerabilities, can help shape the application design and reduce risks inline with your company’s security objectives.

The main objectives of threat modelling are to:

: Understand the threat profile of a system

: Shape application design to meet your organisation’s security objectives

: Discover vulnerabilities and make trade-offs during key engineering decisions

: Reduce risks of security issues arising during development and operations

AppSecure Labs’ approach to threat modelling involves gathering information on application design and functionality through scheduled meetings with development teams and through design documentation.

An application threat model involves the following phases:

Identify security objectives

Clear objectives help focus the threat modelling activity and determine how much effort to spend on subsequent steps. This can be aligned with company security policy or to meet compliance and legal requirements.

Create an application overview

Itemising an application’s important characteristics and actors to help identify relevant threats. Using simple diagrams and tables to document the architecture of an application, including subsystems, trust boundaries and data flow.

Decompose your application

Decompose the application architecture, including underlying network and host infrastructure design, to create a security profile of the application. The aim of the security profile is to uncover the vulnerabilities in the design, implementation and deployment configurations.

Identify threats

Identify threats relevant to the application scenario and context. Keeping the goals of an attacker in mind, and with the knowledge of architecture and potential vulnerabilities, identify the threats that could affect the application.

Identify vulnerabilities

Review and rate vulnerabilities in order to address the most significant threats first. The riskrating process weighs the probability of a threat against damage that could result should an attack occur.

The output from the threat-modelling process is a document for various members of the project development team. It allows them to clearly understand the threats that need to be addressed and the effective security countermeasures to address them.

Threat Modeling

“Until you understand the threats,

You cannot protect your applications against attacks.”

Understand the threat profile of a system

Shape application design to meet your organisation’s security objectives

Discover vulnerabilities and make trade-offs during key engineering decisions

Reduce risks of security issues arising during development and operations

Approach

Identify security objectives

Create an application overview

Decompose your application

Identify threats

Identify vulnerabilities

Deliverables

The jobs posting for Senior Penetration Tester is now Live at: https://t.co/JpwR3WzW85 #infosec #pentest #security… https://t.co/XDyc0D4QqB

RT appsecurelabs: Attackers compromised Volusion's Google Cloud environment to load malicious skimmer code onto mor… https://t.co/eRnNYVuMnN

RT appsecurelabs: DevSecOps Easier Said Than Done #DevOps #DevSecOps #AppSec #InfoSec #Security #AppSecureLabs https://t.co/gfPX9Rsxtp

RT appsecurelabs: Vulnerability in Cisco Webex and Zoom may expose online meetings to snooping #WebAppSec #InfoSec… https://t.co/2zgv5MyU7Q

RT appsecurelabs: While technology is crucial for implementing DevSecOps, it is the people, processes and culture t… https://t.co/eejRrwD1xA

What DevSecOps cultural, technology, process or education hurdles your organisation is facing? What steps have you… https://t.co/HN7wsHiLNC

RT appsecurelabs: 61% of firms that integrate security into their software development process can deploy to produc… https://t.co/TEmEEqUAXn

RT appsecurelabs: Gartner: Application security programs coming up short #AppSec #DevSecOps #DevOps https://t.co/yw6VIIxkQr

RT @appsecurelabs: Gartner: Application security programs coming up short #AppSec #DevSecOps #DevOps https://t.co/iUnulLIyzm

RT @appsecurelabs: The gaming community is a rising target for credential stuffing attacks #cybersecurity #webappsec https://t.co/774wx5rljR

Connect with Us