Cheat Sheet: Threat Modeling Web Applications

From Guidance Share

Jump to: navigation, search

Technique: Threat Modeling for Web Applications

Purpose: Identify relevant threats and vulnerabilities in your scenario to help shape your application's security design.

Input

  • Key use cases and usage scenarios
  • Data flows
  • Data schemas
  • Deployment diagrams


Output

  • A list of threats
  • A list of vulnerabilities


Technique Overview

The five major threat modeling steps are shown in Figure 1. You should progressively refine your threat model by repeatedly performing steps 2 through 5. You will be able to add more detail as you move through your application development life cycle and discover more about your application design.

Image:ThreatModelingSteps.gif

The five threat modeling steps are:

  • Step 1: Identify security objectives. Clear objectives help you to focus the threat modeling activity and determine how much effort to spend on subsequent steps.
  • Step 2: Create an application overview. Itemizing your application's important characteristics and actors helps you to identify relevant threats during step 4.
  • Step 3: Decompose your application. A detailed understanding of the mechanics of your application makes it easier for you to uncover more relevant and more detailed threats.
  • Step 4: Identify threats. Use details from steps 2 and 3 to identify threats relevant to your application scenario and context.
  • Step 5: Identify vulnerabilities. Review the layers of your application to identify weaknesses related to your threats. Use vulnerability categories to help you focus on those areas where mistakes are most often made.

Technique Summary Table

The following table summarizes the threat modeling activity and shows the input and output for each step.


Technique Summary with Input and Output

Input

Step

Output

  • Business requirements
  • Security policies
  • Compliance requirements

Step 1: Identify security objectives

  • Key security objectives
  • Deployment diagrams
  • Use cases
  • Functional specifications

Step 2: Create an application overview

  • Whiteboard-style diagram with end-to-end deployment scenario
  • Key scenarios
  • Roles
  • Technologies
  • Application security mechanisms
  • Deployment diagrams
  • Use cases
  • Functional specifications
  • Data flow diagrams

Step 3: Decompose your application

  • Trust boundaries
  • Entry points
  • Exit points
  • Data flows
  • Common threats

Step 4: Identify threats

  • Threat list
  • Common vulnerabilities

Step 5: Identify vulnerabilities

  • Vulnerability list


Key Concepts

This threat modeling approach is optimized to help you identify vulnerabilities in your application. The key concepts represent proven practices refined by industry security experts, consultants, product support engineers, customers, and partners.


Key Concepts

Concept

Description

Modeling to reduce risk

Use threat modeling to identify when and where you should apply effort to eliminate or reduce a potential threat. Avoid wasted effort by threat modeling to clarify the areas of most risk.

Incremental rendering

Perform threat modeling iteratively. You should not be too concerned about missing details in any single iteration — instead focus on making each iteration productive.

Context precision

Understand application use cases and roles in order to identify threats and vulnerabilities that are specific to your application. Different application types, application usage, and roles can yield different threats and vulnerabilities.

Boundaries

Establish boundaries in order to help you define constraints and goals. Boundaries help you identify what must not be allowed to happen, what can happen, and what must happen.

Entry and exit criteria

Define entry and exit criteria to establish tests for success. You should know before you start what your threat model will look like when complete (good enough) and when you have spent the right amount of time on the activity.

Communication and collaboration tool

Use the threat model as a communication and collaboration tool. Leverage discovered threats and vulnerabilities to improve shared knowledge and understanding.

Pattern-based information model

Use a pattern-based information model to identify the patterns of repeatable problems and solutions, and organize them into categories.

Key engineering decisions

Expose your high-risk engineering decisions and design choices with your threat model. These high-risk choices are good candidates for focusing prototyping efforts.


Personal tools