The introduction would generally explain what threat modeling is. However, it takes more than a few lines to do that. In fact one may start understanding in parts by the end of numerous such exercises, how it works.
Let’s answer the question of ‘Why’ Threat modeling is required in the first place.
Today a sizable number of testers perform vulnerability assessments and penetration testing for a wide variety of web applications. As it is, the benefits of a good Penetration test are guaranteed:
- · Dynamic but comprehensive assessment of application
- · Precise findings
- · Tells the likelihood of system 0wnage
- · Accurate fixes[since we have tools to tell us the exact interface and parameter affected]
- · Ability to test and retest quickly
Now let’s look carefully at each point above. A threat modeling or thorough design review can give us all the benefits from above plus the ones below:
- · Great reduction in cost! The cost of fixing issues after development is considerable
- · Avoids any confusion from standalone fixes or recurrence of issues
- · Makes the application robust by design
- · Finds any security issues first hand- yes long before they are born
Application end to end
A design review takes into consideration every single entity that interacts, provides for or is connected to the application. This way it completes all the circles and is the real end to end assessment. It treats the application like a system with its own ecology and then finds what could go wrong. It is not limited to what’s visible to the user from front end but explores possibility of issues from back-end, components, channels, etc…
What makes a finding ‘concrete’ is evidence. A threat should also be accompanied by its own set of ‘soft evidence’. Except for few cases one can often cite the client to show what has indicated existence of a threat. Like how two decently secure systems being put together in a certain way can uncover a potential flaw leading to insecurity.
Note: You may generally notice this for existing designs
Likelihood of system 0wnage
The likelihood of exploiting any threats to an application can be rightly judged, when one has a bird’s eye view of the design, components and channels. This often leads to different severities for the same issues in different scenarios.
Use of Use-Cases
A use case is a visual representation of the workflow/functional scenario and involves the concerned components and actors. It helps to understand the context better and enhances the chance of quick threat identification for the same.
In ideal cases, we recommend referring to use cases. However, in a practical scenario, with time constraints for review, an experienced security engineer may skip use cases. This is normally the case for a complex design changes that needs to be deployed quickly. In such a scenario it is essential to prioritize some cases/workflows over others, in the given context.
Still before we start discussing the elements of design review[Threat Modelling] in the following posts, a short definition below with respect to web application review:
‘Threat modeling is an art of finding security flaws in and around a web application given its environment, purpose and context leading to direct or indirect compromise or loss to business.’
The reader is expected to possess basic understanding of how web applications work and offensive attack techniques that could be used to subvert the same.
In the future posts, I shall touch upon many aspects of Threat modeling and design review. The reader should keep in mind that these just list some checkpoints in the context of threat modeling web applications and are not exhaustive in any way.