Skip to content

Misconceptions of threat modeling

  • by

Modeling of threats can be described as a planned procedure that has the following goals: determine security requirements, identify vulnerabilities and security threats measure vulnerability and threat severity and prioritize remediation methods.

Threat modeling techniques generate these artifacts

A Abstract of the System
Potential attackers’ profiles with their motivations and strategies
A listing of potential threats

Threat modeling is a method of identifying the threats that could cause damage to a computer system. It takes on the perspective of hackers who are malicious to determine the amount of damage they could cause. In the course of risk modeling, businesses conduct an extensive analysis of software architecture, the business context, and other documentation (e.g. specification of functions, and user manuals). This allows for a greater understanding and discovery of key elements that affect the software. Typically, companies perform threat modeling at the design phase (but it may be conducted at different stages) of a brand new application to assist developers in identifying weaknesses and be conscious of security consequences of their design, codes, and configurations. Generally, developers carry out threat modeling using four steps:

Diagram. What do we want to build?
Find dangers. What can go wrong?
Mitigate. What can we do to protect ourselves from threats?
Validate. Have we taken action in each of the preceding steps?

Benefits of threat modeling

If it is done properly If done properly, threat modeling provides an unambiguous path of view across an application that can help justify security initiatives. The process of modeling threats can help an organization identify the most likely security risks to the application, and then make logical choices about how to deal with the threats. If not, decision-makers may act recklessly based on a lack of or no evidence.

In the end, a well-documented risk model can provide assurances that are beneficial in explaining and protecting the security capabilities of a program or system. When the development company is committed to security threat modeling, it’s the most efficient method to accomplish the following:

Find issues early during the software development lifecycle (SDLC)–even before the coding process begins.
Design flaws that traditional methods of testing and code reviews could overlook.
Consider new approaches to attack that you would not normally think of.
Maximize your testing budget by assisting with testing goals as well as code reviews.
Find security needs.
Fix issues prior to software release and avoid costly recoding after deployment.
Be aware of threats that go beyond normal attacks and consider security concerns specific in your program.
Make sure that your frameworks are ahead of external and internal attackers pertinent to your application.
Use the highlighted assets, threats agents and controls in order to determine the elements that attackers are likely to be looking to attack.
Map the locations of threat actors, their motivations, abilities and capabilities to find possible attackers with respect to the architecture of the system.

Uncertainties about threat modeling

As a security technique that is a security process, threat modeling can be subject to various misconceptions. Many people believe that threat modeling is just an exercise in design, others consider it to be an option for an exercise that the penetration test or review could replace, and some believe that the process is too complex. The following information should clarify some of these myths:

Testing for penetration and reviewing code aren’t a replace threat modeling. Testing for penetration and secure code review are two processes that can be effective in identifying flaws in code. However cybersecurity assessments (e.g. threat modelling) are more effective in identifying weaknesses in design.

There’s a valid reason to develop an assessment of threats following the deployment. The issues that are identified that are present in the current deployment can influence the future strategy for security architecture and identifying weaknesses allows to speed up and improve correction. If you don’t know the risks that an application is exposed to it is difficult to ensure you’re dealing with all dangers.

Threat modeling doesn’t need to be a lot of work. A lot of developers are intimidated by the concept that threat models are a part of their work. At first it could seem intimidating. However, if you break up the tasks into workable steps, performing a threat model on a simple web application–or even a complex architecture–becomes systematic. It is important to begin with the basics of best methods.

Best practices for threat modeling

The key benefit to threat modelling is to promote security awareness across the entire team. It’s the initial step to making security a shared responsibility. In theory, threat modeling is a straightforward procedure. Consider these five best practices for developing or revising the threat model:

1. Determine the scope and extent of the analysis. Establish the scope of analysis with the those who are involved, and then break down the analysis depth for the individual teams of developers so that they are able to threaten create models for the software.

2. Get a clear understanding of the threat you’re modeling. Create a diagram that shows the main elements of your system (e.g. application server data warehouse and thick client) and the interrelations between these components.

3. Create a model of the threat possibilities. Determine the software assets, security controls, as well as threat agents. Draw their locations to develop an understanding of security for your system (see the figure 1). After you’ve modelled the system, you’ll be able to discern what could be wrong (i.e. risks) with methods such as STRIDE.

4. Recognize potential threats. To make an inventory of possible attacks you should ask questions like the following:

Are there avenues where an agent of threat can get access to an asset, without having to pass through the control?

Can a threat actor overthrow this security system?

What should a threat-agent do to overcome this control?

5. Develop a traceability matrix that identifies security controls that are weak or not working. Examine the threats and follow their paths to control. If you get to the software without going through a security safeguard this could signal a threat. If you pass through a security control, think about whether it could stop the threat agent, or if the threat agent has methods to get around it.

Synopsys model of threat

Synopsys software security services offer threat modeling, which helps detect weaknesses that could increase the vulnerability of your system to attack, for example security-related design weaknesses, control oversights, or weaknesses, configuration errors or misuse.

Synopsys is the Synopsys high-level approach

Synopsys’ Synopsys High-Level Approach to Threat Modeling is affixed with the steps below:

Create a model of the system.
Conduct an analysis of the threat.
Prioritize the risks.

Model the system

System modeling is comprised of two elements:

Making a component diagram using the Control flow graph (which illustrates all the possible paths to execution within the program)
Identifying assets, security controls trust zones, as well as threats

Conduct a threat assessment

The most significant task involved in modeling threats is the identification of threats. The majority of methods are classified into two groups:

Checklist-based approaches. A majority of threat modeling techniques employ the use of a checklist, or a template. For instance, STRIDE recommends you consider six kinds of threats: spoofing manipulation, repudiation, disclosure as well as denial of service and escalation–for any dataflow that crosses the boundary of trust.
Non-checklist-based approaches. These methods typically employ creative methods (e.g. brainstorming) to detect threats.

Synopsys threat analysis employs an approach similar to a checklist that uses templates to drive the analysis, but gives room for creativity analysis. Synopsys utilizes pre-baked application protocols for threat analysis for widely used protocol types, including OAuth, SAML, OIDC, Kerberos, password-based authentication and more. This list isn’t exhaustive however it can help users to think about the potential areas to study.

Prioritizing dangers

After we’ve modelled the system and perform a threat analysis We’ve compiled an inventory of potential threats. The next step is to decide how to decide which ones to prioritize. At Synopsys we employ the NIST method to rank threats. We follow guidelines to quantify the probability and impact of every threat to determine the severity.