Those responsible for enterprise information security often do not have an in-depth understanding of how the applications that need to be protected actually work. This tends to lead to overly defensive security controls being introduced, and one reason why information security is so often seen as a hindrance instead of a business benefit. Conversely, developers often don't realize the security implications of particular features and functions that they wish to incorporate into their applications.
To resolve this problem of security versus usability, most infosec practitioners agree that the industry needs to improve
Threat modeling: Underlying security and business benefits
Threat modeling not only raises security awareness amongst developers, but also makes application security an integral part of the application design and development process. It is a great way to help an organization bridge the knowledge gap between information security and development professionals.
Performed during the application design stage, threat modeling identifies and evaluates the risks to an application. This involves categorizing which assets or sensitive information the application accesses in order to identify potential threats to the application. The end result is ideally a reduction in the number of vulnerabilities that make it through to the release version. Also, since the cost of addressing security issues increases as the software design life cycle proceeds, threat modeling not only helps create better products and increase customer confidence in your applications, but also benefits the bottom line.
Threat modeling: Tools and tactics
If you employ a data flow approach, whereby the threat modeling team maps the flow of data through an application, the team can identify the key processes and the threats to those processes. By having your security professionals and developers work together, it's easier to analyze an application from an attacker's point of view.
The optimal time to employ this approach occurs once user requirements for a new application have been gathered, and work has started on the architecture and design of the application. This process not only ensures architecture design issues are resolved early on and creates a set of documents that identify and justify the security requirements of the application, but also helps everyone involved gain a better understanding of how and why a hacker may attack and how vulnerabilities can be removed.
Aside from these approaches, there are tools that enterprises can use to ensure the threat modeling methodology is maintained. Microsoft's Threat Modeling Tool, for example, can help development teams organize relevant data points, assets, trust levels, data flow diagrams, threats and vulnerabilities into a threat model document. Relevant countermeasures such as data validation and encryption for example can then be implemented and tested to ensure the application doesn't leave sensitive or personal information vulnerable to potential attackers. Testing may include penetration tests and fuzzing, where the application is sent varied and invalid data to ensure that it can handle it correctly.
Relying solely on perimeter security is not going to keep your applications secure. Using the threat modeling process will ensure that security is built into applications from day one, increasing their resilience and reducing their support costs at the same time. Threat modeling also provides a great opportunity to show management how security can add business value.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the bookIIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for SearchSecurity's Messaging Security School and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.
This was first published in January 2008