Published on
Note: You can use our free Threat Modeling template to make it easier to follow along. Simply make a copy or download the template, which is an Excel Document.
Developing a new application is a complex process, and security is one of the top priorities for the Software Development Life Cycle (SDLC) team.
Organizations are adopting proactive measures like threat modeling to ensure the application is secure. This approach helps identify and mitigate potential security risks early in the development cycle. By addressing these issues before the actual development of the application, businesses can save time and money by modifying the architecture and eliminating any potential security flaws.
Access The Ultimate Beginner's Guide To Threat Modeling Here
In this blog post, we will provide an in-depth look at threat modeling, its benefits, who can make a threat model, and a step-by-step guide on effectively making a threat model.
What is Threat Modeling?
Threat Modeling is the process of identifying risks to a system. This includes defining potential threats, identifying issues that could arise from these threats, and developing mitigation strategies.
Threat modeling is a practical approach to analyzing the design of a feature, application, or product to eliminate potential security flaws. The primary goal of threat modeling is to understand the risks before developing a system.
Why is Threat Modeling Important?
Starting the threat modeling process early in the software development lifecycle can save money and time in the long run by mitigating issues and modifying architecture before any software is written.
There are three main benefits to proactive threat modeling:
- Ensures That Application Security Is Built into The Product as It’s Being Developed - Threat modeling is a proactive approach to application security that helps identify and mitigate potential threats early in development.
- Security Problems Found and Fixed Early in the Development Process - Threat modeling is a proactive approach to application security that helps identify and mitigate potential threats early in development.
- The Security Mindset Is Encouraged in Developers and Testers - Threat modeling is an essential practice that helps developers and testers adopt a security-focused mindset by proactively identifying and addressing potential security vulnerabilities.
Read More About the Benefits of Threat Modeling: Unveiling the 3 Key Benefits of Threat Modeling
Who Can Make a Threat Model?
Threat modeling is also a great way to have multiple team members collaborate to understand a system, which is essential to building a strong DevSecOps culture. In order to create a comprehensive and effective threat model, it is crucial to involve all stakeholders throughout the SDLC. Engaging diverse perspectives can identify and address potential threats from multiple angles, resulting in a more robust and resilient security strategy.
While there are many different approaches to threat modeling, specialized tools can significantly streamline the process and improve the output quality. Many threat modeling tools are free or low-cost and can easily be downloaded on your device. Three important threat modeling tools include:
How To Make a Threat Model
There are four steps in our Threat Modeling methodology:
- Scope
- Draw
- Analyze
- Mitigate
- Document
Read More: Practical Threat Model Creation: A Step-by-Step Guide
Let’s dive into each step!
Step 1: Scope
The first step in the threat model process is to define the scope of the threat model, including the system or application to be modeled, its assets, data, and users.
When defining the system, it is important to:
- Define The Boundaries - Which components are and are not part of this system?
- Understand The Users - What are the types of users and their different system access levels?
- Understand The Data Stored - Which sensitive data has special access restrictions?
- Understand How The System Will Be Used
STEP 2: Draw
After defining the system, you should have a good understanding of all the components. Your team lists all the assets within the scope of the model, including hardware, software, data, and other resources that attackers could target.
This is also when you can help visualize your application's data flow by creating diagrams depicting data flows and interactions between key components of an application or IT system.
Step 3 - Analyze
Many frameworks have been created to help teams analyze and prioritize threats. The most widely used framework is called STRIDE. STRIDE is a mnemonic that lists different threat categories:
- Spoofing - pretending to be someone or something else (ex: Changing the IP address of a request to bypass network ACLs)
- Tampering - modifying a piece of data through unauthorized channels (ex, Manipulating packets in network traffic)
- Repudiation - being able to claim that you did not do something (ex, Confirming that you did not send an email that your coworker received from your email address)
- Information Disclosure - exposing information to an entity that is not authorized to view it (ex, Storing sensitive information in the “hidden” fields of HTML)
- Denial of Service - using more resources on a service resulting in the unavailability of the service (ex, Flooding the network traffic with bogus packets)
- Elevation of Privileges - gives someone or something the ability to do something they should not be allowed to do (ex: Normal running administrative functions)
After analyzing the possible threats, the next step is to prioritize them. This step is subjective based on the specific organization and system. While your team works through each threat individually, evaluate each threat based on risk.
To help calculate the risk, we will use another useful mnemonic device called DREAD. Answer each question in the DREAD mnemonic with a rating of 1-5, assuming that the threat has occurred.
- Damage - How much damage will be caused?
- Reproducibility - How easy is the threat to reproduce?
- Exploitability - What resources are needed to exploit this threat?
- Affected Users - How many users will be affected?
- Discoverability - How easily can this threat be discovered again?
So, your team will take each STRIDE threat, ask each DREAD question above, and give a rating. Then, you add up each rating so that each STRIDE threat has a numerical value – this will help you prioritize your work.
Step 4 - Mitigate
After prioritizing each threat, we can address them based on risk and decide how to manage them best. For each risk, your team can choose to do one of the four following actions:
- Mitigate the Threat - Reduce the likelihood of the threat (ex, add an application firewall)
- Eliminate the Threat - Completely remove the likelihood that the threat can occur (ex, do not allow account deletions)
- Transfer the Threat - Transfer the risk to a third party (ex: use a payment processor such as Stripe for credit card transactions)
- Accept the Risk - Do not act on this threat as you are willing to accept the consequences
Step 5 – Document
When your team reaches this step, you will have a tangible document with a definition of your system, an enumeration of possible threats to your system, and a ranking and risk strategy for each threat. Our next step is to step back and ask if this model makes sense.
Some critical questions to ask your team are:
- Has the model really covered everything? Is there anything missing?
- Does everybody on the team agree on the inputs to the threat model?
- Does the risk management align with the prioritization of the protection of our system?
- Are the attacks an actual threat? Will they occur?
- How will you monitor the threat landscape on an ongoing basis?
- When the threat landscape changes, who will help reassess and modify the threat model?
Now It’s Time To Get Started
The threat landscape constantly changes. It's crucial to stay aware of the evolving patterns of attacks, and each system faces unique threats based on data collected, industry usage, and other factors.
Threat modeling is an excellent way to keep the proper focus during development. It's crucial to explore emerging threats and devise strategies to mitigate them continuously.
You can download our Threat Modeling Template here, and to create threat modeling experts on your team – you can provide world-class AppSec training with Security Journey’s AppSec Education Platform; learn more here.