What Exactly is Threat Modeling?
My role at the moment is primarily in Application Security. Being the most inexperienced member of my team, Threat Modeling is one of the concepts that I had trouble grasping; personally. I learned that it’s not something that is perfectly quantifiable. This made it difficult for a rookie Security Engineer like myself because companies can include Threat Modeling in their KPI’s and they expect you to report to them some sort of percentage or a number that would go in a glorified PowerPoint slide somewhere. Although there is no true scale from 0%-100%, what you can do is measure the progress of your application(s) on these checkpoints:
Percentage of applications for which Threat Models have been created
Percentage of identified threats for which mitigation strategies have been defined
Percentage of mitigation strategies that have been implemented and validated
But what does it MEAN?
Threat modeling is a structured approach used in Application Security to identify, prioritize, and mitigate potential threats. It helps to visualize and understand an application's potential attack surface, and aids in decision-making about where to focus security efforts. While Threat Modeling can vary based on specific methodologies or business needs, it generally follows these basic steps:
Identify Assets: This involves understanding what sensitive information or crucial system components your application contains or interacts with. Assets could include things like user data, payment information, proprietary code, or key system interfaces.
Create an Architectural Diagram: This step involves building a detailed diagram of the application, including data flows, components, and interactions with external systems. This diagram should include all interfaces, trust boundaries, data handling and storage, and all components involved in the process.
Identify Potential Threats: With a detailed understanding of the application, you can now begin to identify potential threats. Threats could come from a variety of sources like unauthenticated users, insiders, or third-party systems. Common threats include spoofing, tampering, repudiation, information disclosure, denial of service, and elevation of privilege (STRIDE).
Categorize and Prioritize Threats: Once the potential threats have been identified, the next step is to categorize and prioritize them. This typically involves assessing the potential impact of the threat and the likelihood of it being exploited. One common method for this is using a risk rating system like DREAD (Damage potential, Reproducibility, Exploitability, Affected users, and Discoverability) or CVSS (Common Vulnerability Scoring System).
Develop Mitigation Strategies: After threats have been identified and prioritized, the next step is to develop strategies to mitigate these threats. This could involve making changes to the application's architecture, implementing additional security controls, or changing business processes. The best strategy will depend on the specific threat, the application, and the organization's risk tolerance.
Review and Update: Threat modeling is not a one-time event. As the application evolves and new threats emerge, the model needs to be reviewed and updated regularly. Regular reviews ensure that the model remains accurate and that security efforts are focused in the right areas.
In summary, threat modeling is a proactive approach to improving application security. It can help organizations identify and prioritize potential threats, develop mitigation strategies, and make informed decisions about where to focus their security resources. What’s so funny is that there is no universal way to Threat Modeling. There are many different tools that follow different frameworks and one may work better for your organization over another. ALSO, it's important to remember that threat modeling isn't a one-time process. Regular reviews and updates are necessary to keep your threat models relevant as your applications and the threat landscape evolve.
Learn More: