Application threat modelling

Application threat modelling to identify the business security risks and security vulnerabilities should be undertaken at the project definition stage but may be undertaken later in the software lifecycle when no model exists. Threat modelling is also usually undertaken as part of security due diligence reviews to better understand the business risks involved with application before going live on to production. Threat modelling should be a structured technique that systematically identifies threats, attacks, vulnerabilities and possible countermeasures to mitigate the risks. Approach is usually based on an asset, threat or compliance technique, to suit the business requirements.Threat modelling process

Internet-facing systems are increasingly a vital part of the business strategies for many organisations. For some near-virtual companies, this can be the main arena for interactions with staff, suppliers and customers. Internet web applications are complex since they can be: use a security policy to identify the security objectives develop an overview of the application using resources such as the project scope, requirements, specifications or operating guides examine the application in detail to understand its attack surface, mechanisms and processes identify the business threats due to the web site or web application identify vulnerabilities based on the threats identified previously It is prudent to ensure that application threat modelling is an integral part of web application development and operation processes.

Web Application threat modelling

The context of a Web Application will affect the types of threats identified. The term Web Application can include intranets, extranets and public sites but there can be a huge overlap of these in the Web Applications of enterprise organisations. Web Applications often require the use of business data that would otherwise be maintained only internally. The challenge of Web Application security is to provide sufficient information security to protect the information assets and your users (customers, partners, staff and other stakeholders).Threat modelling will develop use cases, usage scenarios and associated data flows, data schemas and deployment diagrams. Some of these may already exist as part of the development process, but often need to be extended to include malicious and accidental cases, rather than the intended usage.Threat modelling vulnerabilities

For any Web Applications, the following are likely to be the major categories of vulnerabilities:

input and output data validation authentication authorisation session management configuration management sensitive data cryptography exception handling auditing and loggingAny Web Application which has any form of user interaction will include all of these potential categories.Threat modelling objectives

The primary output of application threat modelling is a list of threats and a list of associated vulnerabilities.Threat modelling aims to identify what security issues should be addressed and to prioritise them. It should also be used to build knowledge about the Web Application or application, and to increase knowledge within the project team. By documenting and demonstrating the threats and vulnerabilities, the team will gain knowledge and avoid making changes that would reverse a fix.All issues need to be reviewed using vulnerability assessment to confirm the consequences if the vulnerability is exploited.

Vulnerability AssessmentsVulnerability assessment or audit is the process of identifying and quantifying vulnerabilities in a web application or website using scanning and testing methods. Vulnerability assessment is usually undertaken as part of web risk assessments during the project definition stage or as a result of penetration testing of an existing website or web application.

Threats first

The threats related to a web application are similar to other software, but by their nature user-access is more widespread and less controlled. An initial identification of security threats should be undertaken prior to identifying the vulnerabilities.

Vulnerability consequences

A vulnerability assessment or audit should consider the effects of each identified vulnerability on all assets (possibly identified during threat modelling) within the scope of the review. Where possible, methods and techniques to remove or reduce the effects of the vulnerability should be identified in order to minimise or eliminate the business risk.