Scribd
Upload
149 views

Application Threat Modelling

Webapp Security Testing requires to conduct application threat and this modelling document shall provide your with process

Uploaded by

Young
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
149 views

Application Threat Modelling

Webapp Security Testing requires to conduct application threat and this modelling document shall provide your with process

Uploaded by

Young
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Application threat modelling

Application threat modelling to identify the business security risks and security
vulnerabilities should be undertaken at the project definition stage but may be
undertaken later in the software lifecycle when no model exists. Threat modelling
is also usually undertaken as part of security due diligence reviews to better
understand the business risks involved with application before going live on to
production. Threat modelling should be a structured technique that
systematically identifies threats, attacks, vulnerabilities and possible
countermeasures to mitigate the risks. Approach is usually based on an asset,
threat or compliance technique, to suit the business requirements.

Threat modelling process


Internet-facing systems are increasingly a vital part of the business strategies for
many organisations. For some near-virtual companies, this can be the main arena
for interactions with staff, suppliers and customers. Internet web applications are
complex since they can be:

use a security policy to identify the security objectives


develop an overview of the application using resources such as the project
scope, requirements, specifications or operating guides
examine the application in detail to understand its attack surface,
mechanisms and processes
identify the business threats due to the web site or web application
identify vulnerabilities based on the threats identified previously
It is prudent to ensure that application threat modelling is an integral part
of web application development and operation processes.

Web Application threat modelling


The context of a Web Application will affect the types of threats identified. The
term Web Application can include intranets, extranets and public sites but there
can be a huge overlap of these in the Web Applications of enterprise
organisations. Web Applications often require the use of business data that would
otherwise be maintained only internally. The challenge of Web Application
security is to provide sufficient information security to protect the information
assets and your users (customers, partners, staff and other stakeholders).
Threat modelling will develop use cases, usage scenarios and associated data
flows, data schemas and deployment diagrams. Some of these may already exist

as part of the development process, but often need to be extended to include


malicious and accidental cases, rather than the intended usage.

Threat modelling vulnerabilities


For any Web Applications, the following are likely to be the major categories of
vulnerabilities:

input and output data validation


authentication
authorisation
session management
configuration management
sensitive data
cryptography
exception handling
auditing and logging

Any Web Application which has any form of user interaction will include all of
these potential categories.

Threat modelling objectives


The primary output of application threat modelling is a list of threats and a list of
associated vulnerabilities.
Threat modelling aims to identify what security issues should be addressed and
to prioritise them. It should also be used to build knowledge about the Web
Application or application, and to increase knowledge within the project team. By
documenting and demonstrating the threats and vulnerabilities, the team will
gain knowledge and avoid making changes that would reverse a fix.
All issues need to be reviewed using vulnerability assessment to confirm the
consequences if the vulnerability is exploited.

Vulnerability Assessments
Vulnerability assessment or audit is the process of identifying and quantifying
vulnerabilities in a web application or website using scanning and testing
methods. Vulnerability assessment is usually undertaken as part of web risk
assessments during the project definition stage or as a result of penetration
testing of an existing website or web application.

Threats first
The threats related to a web application are similar to other software, but by
their nature user-access is more widespread and less controlled. An initial
identification of security threats should be undertaken prior to identifying the
vulnerabilities.

Vulnerability consequences
A vulnerability assessment or audit should consider the effects of each identified
vulnerability on all assets (possibly identified during threat modelling) within the
scope of the review. Where possible, methods and techniques to remove or
reduce the effects of the vulnerability should be identified in order to minimise or
eliminate the business risk.

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy