Threat modeling for web application security | CyberNcrypt
Threat modeling is a process that assists you in identifying and mitigating threats. It’s critical because it forces you to look at security risks from the top down, focus on decision-making and prioritising cybersecurity decisions, and consider how you can best use your resources. There are numerous approaches to threat modeling, but they all have the same goal. They are tools that can assist you in determining what can potentially harm your security posture and what you can do about it.
A threat model is a structured representation of all the information that affects an application’s security. In essence, it is a security perspective on the application and its environment.
How is threat modeling carried out?
In general, threat modelling allows you to think like a potential attacker. It forces you to ask yourself questions like, “What do you have worth attacking?” How can it be harmed? Where would the attacker begin? It also employs visual aids to help you see threats more clearly and easily figure out attack vectors.
If you were to use threat modeling to protect your real estate, you would begin by drawing each floor of your home and then drawing where the windows and doors are located. Then you’d try to figure out what the burglar would want to steal, how they’d try to break into your house to steal it, and what you could put in place to prevent this (locks, alarm systems, safes, etc.). This is very similar to how threat modelling is performed in software development, including web applications.
Web application security threat modelling is a subset of overall threat modelling and should not be treated as a separate exercise. Web applications are always linked to other system elements such as web servers, application servers, data stores, operating systems, and so on. As a result, if you only model for the web, you will miss out on many threats and threat modes.
Software, applications, systems, networks, distributed systems, Internet of Things (IoT) devices, and business processes can all benefit from threat modeling.
The threat model typically includes the following elements:
- The subject to be modelled is described in detail.
- Assumptions that can be checked or challenged as the threat landscape evolves
- Potential system threats
- Actions that can be taken to mitigate each threat
- A method of validating the model and threats, as well as verifying the success of actions taken
Objectives of Threat Modeling
Threat modeling is a set of activities used to improve security by identifying threats and then developing countermeasures to prevent or mitigate the effects of those threats on the system. A threat is a potential or actual unfavourable event that can be malicious (such as a denial-of-service attack) or accidental (failure of a Storage Device). A planned activity for identifying and assessing application threats and vulnerabilities is threat modelling.
When and where should threat modeling be performed?
Threat modeling processes should begin as soon as the application is designed and should never end, becoming an essential part of information security risk management. As soon as you start thinking about your application, security teams should consider exploitability and model potential threats. The sooner you detect potential threats, the easier it will be to figure out how to protect yourself using various countermeasures, such as redesigning parts of the system. As a result, you must incorporate threat modeling into your software development lifecycle (SDLC) from the beginning of the design process and throughout DevOps.
Because your systems are constantly evolving, threat modeling is an ongoing process. Every change in your environment should be accompanied by a reassessment of potential threats. Even minor changes can introduce a significant new threat that must be mitigated. Simultaneously, threat modeling should not be limited to your own assets. Auditing your users, business partners, and other stakeholders, for example, may be necessary. Threats to your systems may be indirect if they are part of a larger whole.
What are the stages of threat modeling?
The threat modeling procedure can be broken down into three high-level steps. As each step is completed, it is documented. The resulting document is the application’s threat model.
Following are the steps involved in threat modeling
- Decompose the Application – The first step in the threat modeling process is to learn about the application and how it interacts with external entities.
- Determine and Rank Threats – The application of a threat categorization methodology is essential for identifying threats. A threat categorization such as STRIDE or the Application Security Framework (ASF) that defines threat categories including Auditing & Logging, Authentication, Authorization, Configuration Management, Data Protection in Storage and Transit, Data Validation, and Exception Management can be utilized.
- Determine Countermeasures and Mitigation – A vulnerability can be mitigated by implementing a countermeasure. Threat-countermeasure mapping lists can be used to identify such countermeasures. Once the threats have been assigned a risk ranking in step 2, they can be sorted from highest to lowest risk and mitigation efforts prioritized.
Benefits
Threat modeling provides a clear “line of sight” across a project, allowing security efforts to be justified. The threat model enables rational security decisions to be made with all available information.
The threat modeling process generates an assurance argument that can be used to explain and defend an application’s security. An assurance argument begins with a few high-level claims that are supported by sub-claims or evidence.