This document discusses threat modeling and provides an overview of the threat modeling process. It explains that threat modeling involves decomposing an application, identifying threats, analyzing risks, and defining countermeasures. The key steps are decomposing the application into components and data flows, identifying threats using techniques like STRIDE categorization, prioritizing risks using frameworks like DREAD, and specifying security controls to mitigate threats. The goal of threat modeling is to understand vulnerabilities and design secure applications.

1. SACON
SACON International 2017
Abhisek Datta
Appsecco
Head of Technology
@abh1sek
India | Bangalore | November 10 – 11 | Hotel Lalit Ashok

2. SACON 2017
Lets start with a story..

3. SACON 2017
• To be able to see where the entry points to the application are and
the associated threats with each entry point
• To be able to create a security roadmap
• To be able to create more secure applications in general
• To be able to sustain secure software development practices
Why to perform Threat Modeling?

4. SACON 2017
• Threat modelling is an in-depth approach for analyzing the security of
an application
• It allows the reviewer to see where the entry points to the application
are (i.e. the attack surfaces)
• The associated threats with each entry point (i.e. attack vectors)
• Design and adopt various counter measures and mitigation strategies
to enhance security of the application
What is Threat Modeling ?

5. SACON 2017
• A document clearly describing application components and applicable
threats for each component
• Risk rated prioritization of threats and how it should be addressed
• Accepted risks
Outcome of Threat Modeling ?

6. SACON 2017
Threat Modeling
A Generic Approach

7. SACON 2017
• Threat
• A potential to cause harm to something of value (asset)
• Vulnerability
• A way to cause harm or to materialize the threat
A Threat is not a Vulnerability

8. SACON 2017
A Threat is not a Vulnerability
All web applications with SQL backend has a
threat for Injection but not all of them has an SQL
Injection vulnerability

9. SACON 2017
How to Perform Threat Modeling – Bird’s eye view
Application
Decomposition
Threat
Identification
Risk AnalysisCountermeasures

10. SACON 2017
• Identify external dependencies
• Identify entry points
• Identify assets
• Identify attack surfaces
• Identify trust levels
Application Decomposition

11. SACON 2017
Exploring the attack surface includes dynamic and static data flow
analysis. Where and when variables are set and how the variables are
used throughout the work flow, how attributes of objects and
parameters might affect other data within the program. It determines if
the parameters, method calls, and data exchange mechanisms
implement the required security.
Data Flow Analysis

12. SACON 2017
Data Flow Diagram

13. SACON 2017
Threat Identification
• Attack Trees
• Threat Libraries
• STRIDE, CAPEC, CWE, OWASP Top 10 etc.
• Checklists
• OWASP ASVS
• Use Cases

14. SACON 2017
Threat Categorization – The STRIDE Framework
Threat Example
Spoofing Impersonation or pretending to be someone else
Tampering Modifying something that should not be
modifiable
Repudiation Denying that someone didn’t do something
Information Disclosure Access to information that should not be
exposed
Denial of Service Preventing a system from delivering its services
Elevation of Privilege Doing things that one isn’t supposed to do

15. SACON 2017
Risk Analysis - Threat Rating
• All threats cannot be countered or mitigated at the same time
• Effective and actionable outcome of Threat Modeling requires
prioritization of threats
• Risk rating frameworks can be used for Threat Rating

16. SACON 2017
Risk Analysis – Generic Risk Analysis Model

17. SACON 2017
Risk Analysis – DREAD
1. Damage Potential
2. Reproducibility
3. Exploitability
4. Affected Users
5. Discoverability

18. SACON 2017
Countermeasures
The purpose of the countermeasure identification is to determine if
there is some kind of protective measure (e.g. security control, policy
measures) in place that can prevent each threat previously identified
via threat analysis from being realized.

19. SACON 2017
Countermeasures - Example
• Threat
• An attacker can spoof his email address to avail services
• Counter Measure
• Enforce verification of email address before delivering services