|A threat tree to map threats |
to vulnerabilities and countermeasures
(Source OWASP threat modeling)
What is threat modeling?
Threat modeling is a process for modelling security threats and identify design flaws that can be exploited by these threats so that systems can be securely designed and countermeasures implemented to mitigate these threats.
How threat modeling can be performed by an organization?
Threat modeling adds value at different stages in the Software Development Life Cycle (SDLC) such as during Requirements, Design, Development, Test, Deployment and Operations. Carrying out threat modeling in each of these phases directs threat inputs into security activities and allows management of security risks during the overall life cycle. Hence, threat modeling is an iterative process that requires continues updates: new threats have to be assessed because of a design change in the system architecture as well the implementation of new component, the integration with new library etc.
The following security activities are supported by threat modeling during the SDLC:
Requirements: Key stakeholders use white-boarding and collect information through worksheets to identify end to end deployment scenarios. The drawing of abuse cases allows the identification of negative scenarios and a preliminary threat analysis during requirement definition. Data classification can also be performed during requirements to drive the identification of potential threats to the data assets.
Design:Threat modeling the system at design time allows system architects to validate and explore whether the design meets the level of acceptable risks. Flaws in the design can be exposed, and the information thus gathered used to improve the security quality of the design before the system is ever implemented. Furthermore, security testing efforts can be defined in terms of budgets and timelines.
Development:Threat modeling during implementation helps to drive threat analysis into secure code reviews. Flaws in implementation methodologies and lack of development standards can be identified by looking to specific threats. Threats and misuse cases can drive unit test cases during implementation. hence vulnerabilities in the system, can be avoided by bearing in mind the identified threats to the system.
Testing:Threats identified during threat modeling allow the identification of security tests to verify both new and existing security flaws. Penetration tests can be driven by attack vectors for the vulnerabilities identified during threat modeling.
Deployment: Threats identified in the external application environment impact different level of configuration and are mitigated by adopting security by default during deployment.
Operations:By threat modeling an application during system operations it is possible to identify and assess potential security risks and make informed decisions before change management events. Metrics and measurements can be gathered to plan the next releases. Lessons learnt can be used to develop best practices and standards.
What are the benefits of threat modeling?
Threat modeling helps design architects to take a broader view on the security design of the system, hence, enabling them to be aware of a broad range of attack scenarios and threats. Furthermore, they can identify common mistakes made in designs, apply patterns and reuse principles. This leads to a secure design and therefore an improvement in the overall security posture of the system. Developers typically have detailed knowledge about the system's implementation and deployment and therefore their input is very important for threat modeling. When engaged in the process they can also learn how to avoid common implementation bugs and anti-patterns. This process also helps them to be focused on security and ensures it plays a critical role in their decision process.
Quality assurance personnel, security auditors, technical security testers (collectively referred to as security testers) of a system are typically bound by time. Based on experience they also rarely take a systematic approach to testing, focusing on proving or disproving specific instances of vulnerabilities rather than for systematic issues. Threat modeling systematically helps to identify areas of concern in a focused manner, guiding testers to focus on particular parts of the system that are likely to be attacked. It also helps them prioritize time and budget allocation to security quality testing.
Using threat modeling helps project managers to get a better understanding of the security aspects of the system, thus enabling them to better estimate the time and people (money) needed for tests and reviews. This leads to a more predictable project plan that is more likely to be on budget and on time.
By systematically focusing on the important security issues in a system and prioritizing security threats, information risk managers can make risk management decisions based on facts, rather than on guesswork. When information risk managers build threat models early on in the system's development life cycle, they can reduce costs by making decisions such as the mitigation of risks by redesigning components if needed or by introducing countermeasures before much effort is spent on building the wrong solution. By applying systematic threat modeling to production based systems more issues can be found faster (and therefore cheaper) than with other forms of security testing.