Threat model

From Wikipedia, the free encyclopedia

In computer security, a threat model is a description of set of security aspects, that is, when looking at a piece of software (or any computer system) you can define a threat model defining a set of possible attacks to consider. It is often useful to define many separate threat models for one computer system, this way you have groups of more narrow set of possible attacks to focus on. Having a threat model you can assess the probability, the potential harm, the priority etc. of attacks, and from this point on try to minimize or eradicate the threats. More recently, threat modeling has become an integral part of Microsoft's SDL (Security Development Lifecycle) process.[1]

The fundamental assertion behind threat modeling is that threats are realized through attacks which can materialize through certain vulnerabilities if they have not been mitigated with appropriate countermeasures.

1 The threat modeling Process
2 Updated threat modeling approach
3 See also
4 External links

[edit] The threat modeling Process

Understand the adversary's view

Entry points
Assets
Trust levels

Characterise the security of the system

Use scenarios
Assumptions / dependencies
Model the system

Determine threats

Identify threats
Analyse threats
Be clever in writing code

[edit] Updated threat modeling approach

This article or section is not written in the formal tone expected of an encyclopedia article.
Please improve it or discuss changes on the talk page. See Wikipedia's guide to writing better articles for suggestions.

Threat modeling has changed in recent times (around 2004) to take on a more defensive perspective rather than an adversarial perspective. The problem with an adversarial perspective is that it is reactive.

When you adopt an adversarial perspective, you examine software applications, or any system, by trying to find holes in it and ways they might be exploited. Techniques that are often used in an adversarial approach are penetration testing (white box and black box), and code review. While these are valuable techniques to discover potential problems, the flaw is that you can only use them once the software has been written.

This means that if you discover any security related problems, you have to rework and re-write your code. This is very expensive in terms of both time and money.

Security bugs have a much larger impact than functionality bugs. Since code around security usually touches every portion of the application, the 'ripple effect' makes the cost exponentially more expensive than functionality bugs.

Current threat modeling takes on a defender's perspective. This means that threats are examined and countermeasures, or mitigations, are identified at the design state of the application before any code is written. This way the defensive mechanisms are built into the code as it is written rather than patched in later. This is much more cost effective and has the added benefit of increasing security awareness in the development team.

A general high level overview of common steps in the defensive perspective threat modeling are:

Define the application requirements:
- Identify business objectives
- Identify user roles that will interact with the application
- Identify the data the application will manipulate
- Identify the use cases for operating on that data that the application will facilitate

Model the application architecture
- Model the components of the application
- Model the service roles that the components will act under
- Model any external dependencies
- Model the calls from roles, to components and eventually to the data store for each use case as identified above

Identify any threats to the confidentiality, availability and integrity of the data and the application based on the data access control matrix that your application should be enforcing
Assign risk values and determine the risk responses
Determine the countermeasures to implement based on your chosen risk responses
Continually update the threat model based on the emerging security landscape.