Security Auditing - Threat Modeling, Vulnerability Assessment, Penetration Testing
Threat modeling is a powerful tool that identifies the highest risk areas within an application and ties them to known attacks and countermeasures. By leveraging a deep understanding of the application's business logic and design, organizations that employ threat modeling can significantly reduce attack vectors before ever coding an application. Additionally, threat modeling is used extensively with existing applications to prioritize in-scope components for code review and application penetration testing.
- Find possible vulnerabilities in the design of an application
- Determine necessary countermeasures to potential attacks
- Prioritize components for run-time and source code analysis in large applications
Key Business Benefits
- Cost reduction through prioritization of other application security testing activities
- Threat modeling also allows architects and designers to evaluate the design of the application for vulnerabilities in the design phase
- Threat modeling can be perceived as an asset, as it can be used in future releases to evaluate whether new security controls need to be put in place or whether existing controls are sufficient
The table below demonstrates our threat modeling methodology:
- Gather Information—Understand the application's use cases, business requirements, data types, technical design, and other information by interviewing key stakeholders and analyzing diagrams
- Decompose Application—Break application out into user roles, data types, and hardware/software components used
- DFDs—Map out data flow between logical components at various levels of granularity. This demonstrates a strong awareness of application flow and serves as a base for understanding the root cause of vulnerabilities found in testing activities of the application security program.
- Identify Risk—By either leveraging previous application/data classification efforts, or creating them for the first time in this application, consultants identify varying levels of risk for data types used in the application. This serves as a base to prioritize threats during the 'attack tree' phase.
- Use Cases—Outline the major uses cases for the application and analyze each for potential threats to confidentiality, integrity, and availability
- Attack Trees—Determine possible attacks for each attack vector outlined in the use case, prioritized by risk. Determine countermeasures for each attack and use this as either a basis for application design or as a checklist during penetration testing / source code review.
Threat Modeling Deliverables
The result of threat modeling is a living document that defines the high-risk threats for an application along with corresponding attacks and countermeasures. This document can then be used in later releases, or as new threats come out, to evaluate whether additional controls need to be built.