Recently I flunked an interview wherein the interviewer was asking lots of questions around threat models. While I will not be putting any of those questions here, I did do my “after the horse bolted” type of post mortem and have come up with a list of questions that anyone who works with design of web application should be aware of.
First the obvious one What is Threat Modeling?
Well It’s a hot buzzword these days in the world of Information technology security. Threat modeling is a structured approach to analyze your web application design and identify threats against your system. Hmnn of…you said THREAT? Threat model is very useful in identifying security issues related to design early in the application development lifecycle and thus makes mitigating those issues less costly as compared to identifying in the, say Verification phase.
So what is a Threat? Threat is a possible harm that can be caused to an Asset (anything of importance that needs protection; from a web application perspective it may be user passwords, keys, financial information, etc.)
Where and when do you start Threat Modeling? A good point to start threat modeling is just after you are done with the functional and technical design document of your application. Having said that it is never to late for you to start, if not in the current release, this may help in the next.
What are the general steps involved in Threat Modeling?
The threat modeling process should ideally start with a brain storming session to answer the following questions (by not means an exhaustive list..so think think think):
- What is asset to the system?
- Who are the end users?
- Where will you deploy the application? Is this an intranet application or will be accessible over internet?
- What would attract a malicious user to your system?
- What security mechanisms do you have in place?
- How many point of failures does this application have? One??? Run back to the drawing board…
While doing the threat model of an application (or anything) think like an attacker who is trying to sabotage your app. Find ways on subverting your system’s weaknesses. This will help you create an Attack Tree (a What??????)
Once you have identified the threats, what’s next? Remember risk can never be erased fully, you can only Transfer/Accept/Ignore the risk. And that’s exactly what you do once you have identified the threats. A good threat model will have ALL the identified threats reviewed and updated as Ignore/Accept/Transfer.