Threat Modeling

By Paladion

July 15, 2004

Threat modeling is a structured approach to identifying and planning mitigation for all the threats to any application.

Threat modeling is a structured approach to identifying and planning mitigation for all the threats to any application. It is gaining popularity today as a method for addressing the different threats an application may face. There are threats associated with any asset. These threats need to be envisaged before hand and counter measures put into place. A web application is no different. It involves a number of assets which need to be protected. The best way to prepare for these is to start in the design phase. We should enumerate all possible threats to our application and the assets associated with it and build a threat model that will help us in the design and development of the application.

For example the most common threats to an online banking application would be phishing, eavesdropping, bypassing authentication, man in the middle attacks etc. Identifying the threats helps us to start on the road for planned mitigation.

The Steps in Threat Modeling

Threat Modeling is done in 4 steps:

  1. First, we need to understand the application architecture
    and its working in order to think of all
    possible ways an attacker can exploit it.
  2. The next step is to identify what we need to protect.
    Assets may be tangible like web servers and database
    servers, or intangible like the data it handles.
    The data may be the users' passwords, account
    numbers and financial statements.
  3. In the third step, all the vulnerabilities associated
    with each asset should be listed down and we also
    need to make a list of all the possible ways an attacker
    may exploit the system.
  4. The last step is to come up with mitigation strategies
    for each threat.

Designers use Attack Trees and Data Flow diagrams to model these threats. Tools like Microsoft's Threat Modeling Tool are handy to capture this information.

Start Early and Refine Continuously

A Threat Model helps take security decisions throughout the development life cycle. It should be prepared at the start of the cycle. It can then be referred to by different teams to take decisions. The design team can use the model to decide on which technologies to use. The testing team can refer it to build security
test cases.

The 4-Step Approach

  1. Decompose and understand the application
  2. Identify the assets
  3. Identify the threats and vulnerabilities
  4. Create mitigation strategies

A model once developed is not final, we will need to keep adding to it or modifying it as the development of the application progresses, as new vulnerabilities are found or as new mitigation techniques are developed. As pointed out in the OWASP Testing Guide, "Threat models should be created as early as possible in the software development life cycle and should be revisited as the application evolves and development progresses".

Tags: Technical