Application security has become a major concern in recent years. Hackers are using new techniques to gain access to sensitive data, disable applications and administer other malicious activities aimed at the software application. The need to secure an application is imperative for use in today’s world.
Threat Modeling approach used in the Software Development Lifecycle (SDLC) or risk management process has proven to be disastrous; many vulnerabilities have gone undetected allowing applications to be attacked and damaged. Threat modelling is the process of systematically identifying and rating the threats that are most likely to affect the system. By identifying and rating threats based on a solid understanding of the architecture and implementation of the application.
The process of threat modelling is summarized in the figure given below:
- Identify the Asset: It is very important that before any kind of risk assessment exercise is carried out, all the assets be identified. This gives a clear understanding of what has to be protected.
- Create an Application overview: Once the assets are identified which are handled by the application, the goal at this stage to understand and document the details of the application.
- Decompose the Application: During the decomposition process, the trust boundaries are identified, the data flow is determined along with its entry and exit points.
Identify & Determine the Threats: Using the details collected about the system under consideration, the threats relevant to the system can be identified. A threat categorization such as STRIDE is useful in the identification of threats by classifying attacker goals such as:
- S – Spoofing
- T – Tampering
- R – Repudiation
- I – Information Disclosure
- D – Denial of Service
- E – Elevation of Privilege
Document the Threats: Once all the threats with valid attack paths are considered, it is time to document all these threats.
Rank the Threats: After the threats have been identified and documented, they have to be rated based on the risk they pose to system. A DREAD threat-risk ranking model is used to calculate risk and accordingly rank the threats, such as:
- D – Damage potential:- How big would the damage be if the attack succeeded?
- R – Reproducibility:- How easy is it to reproduce an attack to work?
- E – Exploitability:- How much time, effort, and expertise is needed to exploit the threat?
- A – Affected users:- If a threat were exploited, what percentage of users would be affected?
- D– Discoverability:- How easy is it for an attacker to discover this threat?
Once the threats have been ranked, the risk rating section can be filled in Threat Profile document which was created in the earlier phase.
As the world increases its dependency on computers for critical information, the chances of applications being attacked are also increasing. Network security is no longer sufficient to secure an application. Implementing security during the design phase using the threat modeling process ensures that security is being designed into the application, thus decreasing the risk of an attack. Threat modeling is an iterative process and your threat model should evolve over time, changing to adapt to new threats and adjusting to changing business requirement.