"Threat Modeling" is a term that I see a lot on job applications lately. People want someone who can "threat model." So, what really is a "threat model"?
Threat modeling is the process of identify threats and vulnerabilities; as well as identify security gaps and mitigate the risks that could damage an application or leave an opening of data theft. "In essence, it is a view of the application and its environment through security glasses." (1)
As a developer
- Because the security landscape of an application is ever changing, as new threats are discovered every day, it is difficult to say that you are 100% covered from all the threats the first time through. Thus, threat modeling should initially be done as early as possible in the development life cycle, revisited any time there is a change to the system's architecture, and after any security incident or new vulnerabilities are introduced.
As a Penetration Tester/Security Engineers
- Threat modeling helps to build the understanding of an application in depth without any prior knowledge of it. It helps a tester see how things really connect and communicate and where they can be exploited.
There are a lot of methodologies to choose from; more that I am wanting to dive deep into on this blog. In general, they are all kind of similar process where you walking through the project and identifying where security issues might/do pop up. It is usually a visual representation with documentation explaining each process and any threats associated with it. There are also options of how the threat might be fixed and a good threat model should also give a numerical value to the issues to help communicate the overall threat landscape of the project.
Usually a CVSS (Common Vulnerability Scoring System) is used with the visual model to provide a way to capture the principal characteristics of a vulnerability and produce a numerical score (ranging from 0-10, with 10 being the most severe) depicting its severity.
Threat model tools make the process a lot cleaner. There are a few out there but I am going to talk about the MS Threat Modeling Tool and the OWASP Threat Dragon.
- Below you can see the MS threat modeling tool and after downloading it myself, it is pretty easy to use. It is a click and drag interface that allows you to place items on the diagram and interact and connect things as part of the data flow of the project. You can see the little "HTTPS" has little keys next to it and within that point there are options to add specific attributes of the "destination authentication" or "provides integrity." I enjoy how this gives a lot of customization for each project that might be needed.
- There are also some open source threat models, like OWASP's Threat Dragon, that have an online version to connect to your Git Repository or a downloadable version to work with locally. It is the same process as the MS threat modeling tool and is a click and drag system where you can interact with each point, label it, and add threat points. It's biggest down is that it is not automatic and you need to know what you are looking for BUT it does create a nice report of the found issues also and I enjoy that it is connected to my project that I made it for.
There are at least 12 different methodologies available, as everyone seems to want to have their own method, but here are a few specific methodologies that are seen pretty often right now. (4) I'll leave it up to you to find the best one for your situation.
- STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service). Developed by Microsoft it it a mnemonic for its 6 security threat categories.
- DREAD (Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability) is another methodology developed by Microsoft to calculate risk by taking average of its 5 categories.
- PASTA (Process for Attack Simulation and Threat Analysis) is a seven-step, risk-centric methodology for aligning business objectives and technical requirements, while taking into account compliance issues and business analysis.
- Attack Trees "are diagrams that depict attacks on a system in tree form. The tree root is the goal for the attack, and the leaves are ways to achieve that goal. Each goal is represented as a separate tree. Thus, the system threat analysis produces a set of attack trees." (4)
The thing that makes threat modeling useful is the ability to identify and prioritize the threats found, as well as categorize the threats.
- Threat modeling delivers more value when it is executed consistently and repeatedly allowing developers to identify and prioritize fixing vulnerabilities.
If you utilize threat modeling in the development life cycle this will help to minimize your exposure to security risks, lesson the impact and likelihood of something bad happening, and hopefully, make any issues that happen more manageable and less disastrous.
For Penetration Testers/Security Engineers
- Threat modeling is great to help see how the application data flows and find security flaws within it.
By making threat modeling part of the penetration test it allows pentesters to see all the working parts of an application, its dependencies, and database structure. And when reporting mitigation recommendations it helps ensure that a secure application is being built by bridging the gap between developers and security experts. It allows everyone to have knowledge and awareness, though documentation, of all the identified and rated threats for a project.