Threat modeling is a systematic and iterative process to identify threats to software applications. It has benefits like addressing design flaws and reducing security issues. Challenges include the time needed and ensuring resources are trained. The objectives are data loss prevention and intellectual property protection. Threat modeling involves software teams identifying threats, development teams implementing controls, and testers validating controls. It requires a defined security policy and awareness of compliance requirements. The process models the application architecture, identifies threats, and implements and documents controls to address risks.
Threat modeling is a systematic and iterative process to identify threats to software applications. It has benefits like addressing design flaws and reducing security issues. Challenges include the time needed and ensuring resources are trained. The objectives are data loss prevention and intellectual property protection. Threat modeling involves software teams identifying threats, development teams implementing controls, and testers validating controls. It requires a defined security policy and awareness of compliance requirements. The process models the application architecture, identifies threats, and implements and documents controls to address risks.
Threat modeling is a systematic and iterative process to identify threats to software applications. It has benefits like addressing design flaws and reducing security issues. Challenges include the time needed and ensuring resources are trained. The objectives are data loss prevention and intellectual property protection. Threat modeling involves software teams identifying threats, development teams implementing controls, and testers validating controls. It requires a defined security policy and awareness of compliance requirements. The process models the application architecture, identifies threats, and implements and documents controls to address risks.
Threat profile, validation report, residual risk Threat Modeling • Systematic • Iterative • Structured Threat Modeling Benefits o Addressing design flaws o Reducing need for redesign o Reducing need to fix security issues Threat Modeling Challenges • Time • Mature SDLC • Trained resources • Preferential activity • Business operations Threat Modeling Security Objectives • DLP • Intellectual Property • High availability Threat Modeling Use • Software architecture teams identify threats • Development teams implement controls and write secure codes • Testers generate test cases and validate controls • Operations teams configure software securely Threat Modeling Prerequisites • Clearly defined information security policy and standards • Awareness about compliance and regulatory requirements • Clearly defined and mature SDLC process • Plan to act on threat model Model Application Architecture - Creating an overview, Identifying attributes • Identify the physical topology – Development of application, Internal only, demilitarized, hosted in the cloud • Identify the logical topology – components, services, ports, protocols, identity and authentication • Identify human and non-human actors of the system – customers, sales agent, system administration, DBA • Identify data element – product information, customer information • Generate data access control matrix – CRUD Identify Threats Trust boundaries – trust level or privilege changes • Identify entry points – search page, logon page, registration page, account maintenance page • Identify exit points – display information from within the system, search result page, view cart page • Identify data flows – DFD • Identify privileged functionality – elevation of privilege • Introduce mis-actors – hackers, malware • Determine potential and applicable threats – threat list, brainstorming Thank You