A threat is anything – amalicious external attacker, an internal user, a system instability, etc., that may harm the assets owned by an application (resources of value, such as the data in a database or in the file system) by exploiting a vulnerability.
As the name suggests, threat modeling is the process of creating a structured representation of threats and vulnerabilities with the purpose of optimizing the security and performance of an application. As part of the threat modelling process, threats are identified from a hacker’s perspective and then countermeasures are put in place to manage and mitigate those risks.
QUESTIONS TO BE ASKED
What are my most valuable assets?
Where am I most vulnerable to attack?
What are the threats I am most predisposed to?
Is there an attack vector that has gone unnoticed?
How can an attacker change the authentication data?
Compassites Threat Modeling
Compassites’ approach to threat modeling involves the following steps which are further explained in subsequent sections:
- Decomposing the Application
- Identifying External Dependencies
- Finding Entry Points
- Trust Levels
- Determine Threats & Ranking Threats
- Analyzing Threats
- Security Controls
- Mitigation Strategy
Decomposing the Application
- Gaining an understanding of the application information
- Understanding the app and how it interacts with external entity
- Creating use cases to understand how the application works
Identifying External Dependencies
- Identifying the application server
- Identifying the Database of the application
- Making private connections between database and servers
- Ensuring that webserver is communicating via TLS
Finding Entry Points
Identifying all the entry points of the application. This includes the following input fields:
- Input fields displayed under ‘Register New User’ screen
- All the input fields displayed under ‘Login’ page
- All the Input fields displayed under ‘Forgot Password’ page
This includes defining the roles and access rights for different roles such as users and admins.
- User level access rights
- Website admin level access
- Database server admin level access
Determine Threats & Ranking Threats
The STRIDE threat model is used to identify and rank threats and then develop necessary counter mechanisms:
[bctt tweet=”The STRIDE threat model is used to identify and rank threats and then develop necessary counter mechanisms” username=”compassites”]
- Spoofing Identity – illegally using another user’s authentication information such as username/password
- Tampering with data – compromising the integrity of the system by malicious alteration of data
- Repudiation – performing illegal operations on a system that lacks the ability to hunt those operations
- Information Discloser – compromising the confidentiality of information by making it accessible to unauthorized persons
- Denial of Service – the attacks that make service unavailable to valid users
- Elevation of Privilege – an unprivileged user gaining access higher than what is legitimate for his/her level by breaking all defenses of the system/application.
This analysis process can be summed up in the following steps:
- Identifying the vulnerability and analyzing the impact on the application functionality
- User session time out may not be handled properly from the server
- Data validation may not be properly validating from the database side
This step involves creating a security profile to examine all the areas which are most prone to vulnerabilities, such as:
- Authentication – enforcing passwords and password verifiers, using certificates, securing credentials as they pass over the network.
- Authorization – enforcing authorization and credentials; assessing gatekeepers installed at entry points of applications; defense strategies
- Cookie Management – checkinghow session cookies are generated and what mechanisms are used to prevent hijacking
- Input Data Validation – preventing malicious data and command injections by attacker; validating data when it passes between different trust boundaries
- Information Leakage – checking the security mechanisms and encryption techniques for handling sensitive data; securing encryption keys
- Cryptography – examining the kind, length and security of encryption keys; recycling of keys
- Session Management – ensuring security of persistent state session as they cross the system; defining how the application authenticates with the session store
Based on a thorough review of the application in question, we design mitigation strategies for continuous threat management:
- Provide Reactive and Proactive Vulnerability Management
- Suggest best practices
- Frequent Security Testing exercises
With new and complex threats evolving every day, threat modeling is a crucial exercise in understanding the vulnerabilities of an application from an attacker’s perspective and ensuring that precious data is well protected. With our extensive experience in designing threat models for a variety of clients, Compassites can help you stay miles ahead of the malicious mind.