Pentesting Report: Attack Narrative Series Part 2: Threat Modeling

During my time at Flatiron School I created a password manager for my final project. Though a seemingly simple task, this threw me for a fun loop into authentication and cryptography; and now it is time to test it.
This is part 2 in an ongoing series as I complete the pentest report of the application I built. This series is meant to supplement the actual report that doesn't need the step-by-step breakdown that this will cover.

Part 2: Threat Modeling

This step is part of the main recon as well as the step after this on Research and Exploitation. A threat model is a visual representation of the flow of data in an application that is used to identify gaps in security and vulnerable points, also as well help to categorize and prioritize the threats found during a penetration test. Therefore, when reporting mitigation recommendations it helps by bridging the gap between developers and security experts and allows everyone to have knowledge and awareness, though documentation, of all the identified and rated threats for a project.

~For this penetration test the threat model will be used as a guide and will be modified with as the findings of the penetration test are filled in.~

• The STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service) approach will be used through the open source tool from OWASP, Threat Dragon. STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service).
• The ZAP Scanning Report will also be used to help identify any associated CWEs (Common Weakness Enumeration) and WASCs (Web Application Security Consortium).
• A CVSS (Common Vulnerability Scoring System) will be used with the visual model to provide a way to capture the principal characteristics of a vulnerability and produce a numerical score (ranging from 0-10, with 10 being the most severe) depicting its severity.

Version: 1.0

Date: 06-03-2020
By: DaNeil Coutlhard
Notes: Base model made from information gathering phase as well as expected vulnerability points from a database. Database type is currently unknown.
Model:

Happy Hacking

References

1. https://wiki.owasp.org/index.php/Category:Threat_Modeling
2. https://devops.com/threat-modeling-the-why-how-when-and-which-tools/
3. https://www.geeksforgeeks.org/threat-modelling/
4. https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
5. https://www.f5.com/services/resources/white-papers/f5-big-ip-platform-security
6. https://owasp.org/www-community/Application_Threat_Modeling
7. https://threatmodeler.com/threat-modeling-methodologies-overview-for-your-business/
8. https://www.owasp.org/images/e/e9/Threat-Modelling_oct2017.pdf
9. https://owasp.org/www-project-threat-dragon/
10. https://threatdragon.org/

Please Note that I am still learning. If something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.