05 Aug What Every Developer Should Know About Threat Modelling
what every developer should know about threat modelling
From a business perspective, many aspects have moved or migrated online for smoother functioning. This has resulted in an exponential rise inhacking incidents and cyber-attacks. Cybersecurity is a top concern or a cause of worry for today’s IT world. The attacks are becoming more stronger, sophisticated and frequent. In response, cybersecurity experts and professionals are implementing and deploying a variety of defence and countermeasures to tackle the threats and attacks. It’s a huge undertaking considering the sheer number and different types of attacks available in the attacker’s repertoire. Threat modelling is quickly gaining significance in the IT world. The following article will talk about what every developer should know about threat modelling.
Read Also: Penetration Testing
What is threat modelling?
Threat modelling is a method of honing, improving and enhancing the network security system by locating vulnerabilities in a system, identifying the objectives and developing counter measures or a process to either prevent or mitigate the effects of these threats or an attack on the system.
While the threat modelling process can be carried out at any stage of software development, deploying it at the start is beneficial as it enables the early detection of threats and vulnerabilities. The threats can therefore be fixed or neutralised during the design phase itself as issues detected in the testing phase are time-consuming and expensive. Threat modelling doesn’t include developer code reviews and security testing. It is, in fact, developing a set of the well-organised process through which the application developers and infrastructure architectures are able to detect threats and build a robust security mechanism.
The threat modelling manifesto involves asking 4 important questions to build an effective model which are as following:
What are we working on? Does this include what kind of threat modelling needs building? The threats can be identified by studying data flow transitions, architectural diagrams and data classifications which can be then translated into a virtual model of the network that needs protection.
What can go wrong? Here you study or research the threat landscape and identify main threats to your network
What are we going to do about it? This includes measures and actions to be undertaken to prevent or recover from a potential cyberattack.
Did we do a good enough job? This is the final step wherein we document the actionable process and check for quality measures, feasibility process, planning and studying the progress report.
Read Also: Web Applications Penetration Testing/
The threat modelling process
Here are five steps for the threat modelling process
Identifying objectives: The organisation should first identify its security objectives. An indetail study should be carried out on the security requirements and identify possible threats in business flows. Any security compliance issues and requirements which are a part of objectives should also be taken into consideration
Identify assets and external dependencies: Developers need to identify and build an inventory list of all the assets that are a part of the network infrastructure. They should also identify a list of external dependencies that are not a part of the network infrastructure but may pose a threat to the security of the system. The assets and external dependencies should then be prioritised based on risk assessment and protected from potential attackers.
Identify trust zones: The developers must identify trust zones and monitor the data entry and exit points. The data information should be documented and should be used to build data flow diagrams with privilege boundaries. This helps in data validation, user authentication and error handling.
Identify potential threats and vulnerabilities: Identify threats and vulnerabilities within the system that may have an impact on the security system. Some instances of threats are SQL injection attacks, unauthorised authentication and session hijacking. The developers should also focus on high-risk prone areas like exposed endpoints and gateways, anomaly detection, data input validation, misconfiguration, weak password policies, infrequent auditing and logging.
After identifying the threats, compile a threat list based on risk assessment and the possibility of the risk to convert into a full-fledged attack. The list can be classified as
Accepting: The risk level is accepting and not a priority. Maybe assessed later
Transferring: The risk should be transferred or outsourced
Avoiding: Not a high-level risk but requires architectural and infrastructural changes to avoid the risk becoming big in the future
Reducing/Mitigating: High-level risk which requires immediate attention to prevent the risk from becoming a potential threat.
Document the threat model: The threat model should be documented as threat modelling is an iterative process and architects can refer to the model documents to build on or develop a strong security system. The documents can be used as security guidelines or to drive test cases which helps in mitigating risks and identify vulnerabilities.
Read Also: Importance of Security Assessments/
Importance of threat modelling process
A detailed report by security boulevard regarding cybercrime states that data breaches exposed 4.1 billion records in 2019 and that social media-enabled cybercrimes steal $3.25 billion in annual global revenue. A report by KnowBe4’s 2019 Security Threats and Trends report states that 75% of the organisations feel insider threat is a genuine and growing concern, whereas 85% of the organisations surveyed reported being a frequent target of phishing and social engineering attacks. Security breaches and data leaks have increased by a whopping 67% since 2014. Threat modelling allows detection of threats and vulnerabilities in the development stage itself and hence helps in saving time as well as financial resources. The threat model process is an iterative process that helps in building a robust security system and prevent attacks from happening. Thus, as attacks become more complicated a sophisticated, the threat modelling process is an effective and efficient way to counter such threats.
Threat Modelling frameworks and methodologies
There are many threat modelling processes but given below are some famous and frequently used methodologies
STRIDE: Developed by Microsoft and is an acronym for the 6 categories mentioned below. Helps to identify threats that fall in the following categories
Spoofing: An intruder passing as an authenticated user, as a component or disguising as a known system feature to gain access.
Tampering: Altering of data or network configuration in a system to gain access to achieve a malicious goal
Repudiation: the ability of an intruder to cover his tracks or deny a malicious activity due to lack of sufficient proof.
Information Disclosure: Exposing sensitive or protected data to a user that isn’t authorised to see that particular data
Denial of service: An attack on the system to shut down a particular machine like sever or a network system so that it is inaccessible to its intended users.
Elevation of privilege: Misusing the privileges and executing commands and functions which that the user isn’t supposed to. Results in vertical privilege escalation.
PASTA: is a risk-centric methodology and stands for Process for Attack Simulation and threat analysis. Developers identify threats through simulated attacks and then develop a risk-centric strategy to mitigate risks
TRIKE: This methodology uses threat models as a risk management tool. It is basically a form of requirement model which is established through the organisation’s objectives and stakeholders defined acceptable level of risk assigned to each asset class. The threats identified are given risk values, and then actions and measures are taken based on the risk score.