This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Threat Modeling Cheat Sheet"
m (→Why do we need to perform threat modeling: Minor grammar edits. Clarifications.) (Tag: Visual edit) |
|||
| Line 3: | Line 3: | ||
{| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | {| style="padding: 0;margin:0;margin-top:10px;text-align:left;" |- | ||
| − | | valign="top" | + | | valign="top" style="border-right: 1px dotted gray;padding-right:25px;" | |
Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | Last revision (mm/dd/yy): '''{{REVISIONMONTH}}/{{REVISIONDAY}}/{{REVISIONYEAR}}''' | ||
| − | <br/> | + | <br /> |
__TOC__{{TOC hidden}} | __TOC__{{TOC hidden}} | ||
= DRAFT CHEAT SHEET - WORK IN PROGRESS = | = DRAFT CHEAT SHEET - WORK IN PROGRESS = | ||
| Line 23: | Line 23: | ||
=Why do we need to perform threat modeling= | =Why do we need to perform threat modeling= | ||
| − | 1. Performing threat model at the architecture level, helps in | + | 1. Performing threat model at the architecture level, helps in: |
| − | a. confirming | + | a. confirming suitability of the identified security features to be implemented |
b. identification of any gaps in the security features to be implemented | b. identification of any gaps in the security features to be implemented | ||
c. identification of any further security features | c. identification of any further security features | ||
| Line 34: | Line 34: | ||
i. understanding capacity and availability requirements | i. understanding capacity and availability requirements | ||
| − | 2. Performing threat model at the design level, helps in | + | 2. Performing threat model at the design level, helps in: |
| − | a. identification of vulnerabilities that need to be closed at design level and input this into build phase | + | a. identification of vulnerabilities that need to be closed at the design level and input this into the build phase |
b. identification of information assets that need security controls | b. identification of information assets that need security controls | ||
| − | c. mapping of identified security controls into technical / administrative / physical controls as the case may be (this activity can be done at the architecture level as well, but doing it at design level helps in being granular) | + | c. mapping of identified security controls into technical / administrative / physical controls as the case may be (this activity can be done at the architecture level as well, but doing it at the design level helps in being granular) |
d. identification of security test cases / security test scenarios to test the security requirements | d. identification of security test cases / security test scenarios to test the security requirements | ||
=Starting the threat modeling exercise= | =Starting the threat modeling exercise= | ||
| − | It is important to have a risk assessment policy | + | It is important for an organization to have or create a risk assessment policy that gives practitioner guidance on when to do a threat model, provides management guidance on assigning owners to risks, etc. |
| − | |||
| − | + | An organization should also complete the following before beginning the threat modeling exercise: | |
| − | + | 1. Make a list of all the stakeholders who need to participate in threat modeling. For example, stakeholders may include application architects, infrastructure architects, solution architects, business owners, etc. | |
| − | + | 2. Get management buy-in for the exercise to ensure that there is management support for involvement of all necessary stakeholders. | |
| − | + | 3. Confirm that the threat modeling exercise is led by the security team of the organisation and the risk log is maintained by the security team. | |
| + | |||
| + | Capturing the following information is part of the exercise: | ||
1. The trust boundaries to and within the solution that we build | 1. The trust boundaries to and within the solution that we build | ||
| Line 66: | Line 67: | ||
7. Threat agents that can exploit the vulnerabilities | 7. Threat agents that can exploit the vulnerabilities | ||
| − | 8. Impact of exploitation of vulnerability by a threat | + | 8. Impact of exploitation of vulnerability by a threat agent |
9. Decision tree to treat the risk | 9. Decision tree to treat the risk | ||
| Line 107: | Line 108: | ||
10. For each of the information flows perform threat assessment using any of the methodologies that meets the organisation’s requirements: | 10. For each of the information flows perform threat assessment using any of the methodologies that meets the organisation’s requirements: | ||
| − | 11. Add a probability value to the materialisation of each | + | 11. Add a probability value to the materialisation of each threat |
| − | 12. Add a value for impact of each threat materialisation | + | 12. Add a value for the impact of each threat materialisation |
13. Identify the acceptable level of risk for the organisation or the identified scope | 13. Identify the acceptable level of risk for the organisation or the identified scope | ||
| Line 122: | Line 123: | ||
=How to work on getting the mitigations in place, track them to closure and keep monitoring risks= | =How to work on getting the mitigations in place, track them to closure and keep monitoring risks= | ||
| − | 1. Upon completion of the initial threat modelling exercise, assign | + | 1. Upon completion of the initial threat modelling exercise, assign identified risks to the relevant business / risk owners of threats for example |
| − | a. If there is an identified risk with the way the database is implemented, assign the risk to the owner of the database team. | + | a. If there is an identified risk with the way the database is implemented, assign the risk responsibility to the owner of the database team. |
| − | b. If there is an identified risk with the application design assign the risk to the owner of the application team | + | b. If there is an identified risk with the application design, assign the risk responsibility to the owner of the application team |
| − | c. | + | c. Although the risks are assigned to the database and application teams, the accountability of ensuring the risks are addressed lies with the business owner for the business the application is being developed for. At the end of the day, the business owner needs to understand the risk appetite of his/her business unit and whether the risk is above or below the acceptable level. |
2. Maintain a Threat Traceability Matrix which at the minimum lists the following: | 2. Maintain a Threat Traceability Matrix which at the minimum lists the following: | ||
| Line 141: | Line 142: | ||
3. Test the risk as a part of security testing to ensure that the mitigation works as expected | 3. Test the risk as a part of security testing to ensure that the mitigation works as expected | ||
| − | Periodically retest the risk in either a vulnerability scan or | + | Periodically retest the risk in either a vulnerability scan or as part of penetration test or security test to ensure that the mitigation remains in place and works as expected. |
| Line 156: | Line 157: | ||
{{Cheatsheet_Navigation_Body}} | {{Cheatsheet_Navigation_Body}} | ||
[[Category:Cheatsheets]] | [[Category:Cheatsheets]] | ||
| + | |} | ||
Revision as of 00:43, 22 August 2017
|
Last revision (mm/dd/yy): 08/22/2017
DRAFT CHEAT SHEET - WORK IN PROGRESSIntroductionThe objective of this cheat sheet is to provide guidance to developers, reviewers, designers and architects on conducting successful threat modeling. The main goal of threat modeling is to understand the controls needed for a software system. This is a complex endeavor that will involve investigations into:
Why do we need to perform threat modeling1. Performing threat model at the architecture level, helps in: a. confirming suitability of the identified security features to be implemented
b. identification of any gaps in the security features to be implemented
c. identification of any further security features
d. identification of policy and process requirements
e. identification of requirements to be fed into security operations
f. identification of logging and monitoring requirements
g. arriving at abuse cases when used in agile methodology
h. understanding business continuity requirements
i. understanding capacity and availability requirements
2. Performing threat model at the design level, helps in: a. identification of vulnerabilities that need to be closed at the design level and input this into the build phase
b. identification of information assets that need security controls
c. mapping of identified security controls into technical / administrative / physical controls as the case may be (this activity can be done at the architecture level as well, but doing it at the design level helps in being granular)
d. identification of security test cases / security test scenarios to test the security requirements
Starting the threat modeling exerciseIt is important for an organization to have or create a risk assessment policy that gives practitioner guidance on when to do a threat model, provides management guidance on assigning owners to risks, etc. An organization should also complete the following before beginning the threat modeling exercise: 1. Make a list of all the stakeholders who need to participate in threat modeling. For example, stakeholders may include application architects, infrastructure architects, solution architects, business owners, etc. 2. Get management buy-in for the exercise to ensure that there is management support for involvement of all necessary stakeholders. 3. Confirm that the threat modeling exercise is led by the security team of the organisation and the risk log is maintained by the security team. Capturing the following information is part of the exercise: 1. The trust boundaries to and within the solution that we build 2. The actors that interact within and outside of the trust boundaries 3. Information flows within and to and from the trust boundaries 4. Information persistence within and out of trust boundaries 5. Threats to transgression of trust boundaries by actors and for information flow and persistence 6. Vulnerabilities at trust boundaries as accessed by actors and for information flow and persistence 7. Threat agents that can exploit the vulnerabilities 8. Impact of exploitation of vulnerability by a threat agent 9. Decision tree to treat the risk Decompose and Model the systemTo perform a threat model, it is important to understand how the system works and interacts with its ecosystem. To start with, create a high level information flow diagram, something like this:
2. Add actors – internal and external 3. Define internal trusted boundaries. These can be the different security zones that have been designed 4. Relook at the actors you have identified in #2 for consistency 5. Add information flows a. Information in transit
b. Information at rest
c. Information processing
d. In the above diagram, following are the information flows:
i. Login Information
ii. Transmit login information
iii. Data process
iv. Data store
6. Identify the information elements and their classification as per your information classification policy 7. Where possible add assets to the identified information flows 8. Identify threat agents for each of the information flows 9. Draw attack vectors and attack trees in an iteratively to make sure that no major attack vector is missed. 10. For each of the information flows perform threat assessment using any of the methodologies that meets the organisation’s requirements: 11. Add a probability value to the materialisation of each threat 12. Add a value for the impact of each threat materialisation 13. Identify the acceptable level of risk for the organisation or the identified scope 14. Identify the risks for mitigation that are above the acceptable level of risk 15. Mitigate the risks by doing one or more of the following: a. Accept
b. Transfer
c. Avoid
d. Reduce
How to work on getting the mitigations in place, track them to closure and keep monitoring risks1. Upon completion of the initial threat modelling exercise, assign identified risks to the relevant business / risk owners of threats for example a. If there is an identified risk with the way the database is implemented, assign the risk responsibility to the owner of the database team.
b. If there is an identified risk with the application design, assign the risk responsibility to the owner of the application team
c. Although the risks are assigned to the database and application teams, the accountability of ensuring the risks are addressed lies with the business owner for the business the application is being developed for. At the end of the day, the business owner needs to understand the risk appetite of his/her business unit and whether the risk is above or below the acceptable level.
2. Maintain a Threat Traceability Matrix which at the minimum lists the following: a. Information flow (along with the list of assets)
b. Threats for the information flows
c. Probability of occurrence of the risk
d. Impact of materialisation of the risk
e. Risk owner – responsibility wise
f. Risk owner – accountability wise
g. Mitigation
h. Last review date
i. Next review date
j. Instances of materialisation of the risk
3. Test the risk as a part of security testing to ensure that the mitigation works as expected Periodically retest the risk in either a vulnerability scan or as part of penetration test or security test to ensure that the mitigation remains in place and works as expected.
Further Readinghttps://www.owasp.org/index.php/Application_Threat_Modeling
Authors and Primary EditorsTODO Other Cheatsheets |
