Application Threat Modeling

OWASP Code Review Guide Table of Contents

Author: David Lowry

Introduction
Threat modeling is an approach for analysing the security of an application. It is a structured approach that enables you to identify, quantify and address the security risks associated with an application. Threat modeling is not an approach to reviewing code but it does compliment the secure code review process. The inclusion of threat modeling in the SDL can help to ensure that applications are being developed with security built in from the very beginning. This combined with the documentation produced as part of the threat modeling process can give the reviewer a greater understanding of the system. This allows the reviewer to see where the entry points to the application are and the associated threats with each entry point. The concept of threat modeling is not new but there has been a clear mindset change in recent years. Modern threat modeling looks at a system from a potential attackers perspective as opposed to a defenders view point. Microsoft have been strong advocates of the process over the past number of years. Microsoft have made threat modeling a core component of their SDL which they claim to be one of the reasons for the increased security of their products in recent years. The threat modeling process can be decomposed into 3 high level steps:

Decompose the Application. The first step in the threat modeling process is concerned with gaining an understanding of the application and how it interacts with external entities. This involves creating use cases to understand how the application is used, identifying entry points to see where a potential attacker could interact with the application, identifying assets i.e. items/areas that the attacker would be interested in and trust levels which represent the access rights that the application will grant to external entities. This information is documented in the Threat Model document and it is also used to produce data flow diagrams (DFD) for the application. The DFDs show the different paths through the system highlighting the privilege boundaries.

Determine and rank threats.

Determine vulnerabilities and mitigation.