In order to ensure security throughout the entire organization, it is essential that applications are developed using secure coding standards and developed using a defensive coding strategy such as application threat modeling. Application threat modeling makes it possible to analyze the security of an application in a systematic manner. Threat modeling includes ranking issues by risk, identifying potential threats, and enacting countermeasures in order to resolve.
The Microsoft Threat Modeling Process
The Microsoft threat modeling process is visualised below:
Therefore, if you would like to incorporate threat modeling in to your application development cycles, then it can be achieved using a three-step process.
The three step threat modeling approach is documented below:
Step 1: Decompose the application
If you would like to identify the weaknesses of an application, first it’s important to understand how the application would interact with external entities. So, by mapping the application’s assets, entry points, trust levels and dependencies, it’s possible to map data flows through the applications systems and subsystems. As a result it’s possible to pinpoint the exact location of the applications vulnerabilities.
Step 2: Identify and rank the threats
As a result of decomposing the application, it would become possible to analyze each and every aspect of the application’s design architecture and functionality. In addition, it’s also become possible to identify weaknesses that could potentially be exploited. In order to manage this process in a systematic, thorough, and repeatable way, then it’s recommended to use a threat categorization framework like STRIDE.
Using the STRIDE framework makes it possible to outline six common types of threats, along with the security controls which are responsible for protection against them. After analyzing applications against these threat types, companies are able to systematically identify potential weaknesses, and then determine the efficacy of existing security controls.
The security risk posed by each of the identified threats could be ranked by using a value-based risk model. At a basic level, the risk of a threat is equal to its likelihood of occurrence, which is then multiplied by its potential impact.
Microsoft’s DREAD threat model uses this principle in order to create a quantifiable risk score for potential threats, assigning a value between 1 and 10 based on the severity of the identified threat. This would allow companies to rank individual threats, and thus prioritize their potential threats and risks accordingly.
Step 3: Identify suitable countermeasures
After the potential threats have been identified, it’s then be possible to identify if suitable countermeasures exist or not.
Security threats without suitable countermeasures should be regarded as potential vulnerabilities as these issues would require further action to remedy. This is why threat models such as DREAD and STRIDE exist, to allow companies to rank and catogrize security issues and risks and assign resources as appropriate.