gary rotter

Threat modeling

A process of identifying assets, their vulnerabilities, and how each is exposed to threats. It is a strategic approach that combines various security activities, such as vulnerability management, threat analysis, and incident response.

Another use of threat modeling is to proactively find and reduce risks to any system or business process.

Defending the application layer

Threat modeling is one of the primary ways to ensure that an application meets security requirements.

A typical threat modeling process is performed in a cycle:

  • Define the scope
  • Identify threats
  • Characterize the environment
  • Analyze threats
  • Mitigate risks
  • Evaluate findings

Threat modeling should be performed before, during, and after an application is developed.

Common frameworks

  • STRIDE
  • PASTA
  • Trike
  • VAST

STRIDE

A threat modeling framework developed by Microsoft. It’s commonly used to identify vulnerabilities in six specific attack vectors. The acronym represents each of these vectors:

  • Spoofing
  • Tampering
  • Repudiation
  • Information disclosure
  • Denial of service
  • Elevation of privilege

PASTA

Process for attack simulation and threat analysis.

7 stages for PASTA:

  • 1. Define business and security objectives
  • 2. Define technical scope
  • 3. Decompose the application
  • 4. Perform a threat analysis
  • 5. Perform a vulnerability analysis
  • 6. Conduct attack modeling
  • 7. Analyze risk and impact

Trike

Trike is an open source methodology and tool that takes a security-centric approach to threat modeling. It’s used to focus on security permissions, application use cases, privilege models, and other elements that support a secure environment.

VAST

The Visual, Agile, and Simple Threat (VAST) modeling framework is part of an automated threat-modeling platform called “ThreatModeler”. Many security teams opt to use VAST as a way of automating and streamlining their threat modeling assessments.

keys to threat modeling

Asking the right questions.

  • What are we working on?
  • What kinds of things can go wrong?
  • What are we doing about it?
  • Have we addressed everything?
  • Did we do a good job?

Leave a Reply

Your email address will not be published. Required fields are marked *