This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "Application Threat Modeling"

From OWASP
Jump to: navigation, search
(External Dependencies)
(Added a link to TM outputs)
 
(192 intermediate revisions by 16 users not shown)
Line 1: Line 1:
''[[OWASP Code Review Guide Table of Contents]]__TOC__
+
__TOC__
  
 +
Threat modelling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.
  
<br>
+
Threat modelling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, things in the internet of things, business processes, etc. There are very few technical products which cannot be threat modelled; more or less rewarding, depending on how much it communicates, or interacts, with the world. Threat modelling can be done at any stage of development, preferably early - so that the findings can inform the design.
  
----
+
== What ==
 +
Most of the time, a threat model includes:
 +
* A description / design / model of what you’re worried about
 +
* A list of assumptions that can be checked or challenged in the future as the threat landscape changes
 +
* A list of potential threats to the system
 +
* A list of actions to be taken for each threat
 +
* A way of validating the model and threats, and verification of success of actions taken
 +
Our motto is: Threat modelling: the sooner the better, but never too late.
  
===Introduction===
+
== Why ==
Threat modeling is an approach for analysing the security of an application. It is a structured approach that enables you to identify, quantify and address the security risks associated with an application. Threat modeling is not an approach to reviewing code but it does compliment the secure code review process. The inclusion of threat modeling in the SDL can help to ensure that applications are being developed with security built in from the very beginning. This combined with the documentation produced as part of the threat modeling process can give the reviewer a greater understanding of the system. This allows the reviewer to see where the entry points to the application are and the associated threats with each entry point. The concept of threat modeling is not new but there has been a clear mindset change in recent years. Modern threat modeling looks at a system from a potential attackers perspective as opposed to a defenders view point. Microsoft have been strong advocates of the process over the past number of years. Microsoft have made threat modeling a core component of their SDL which they claim to be one of the reasons for the increased security of their products in recent years. The threat modeling process can be decomposed into 3 high level steps:
+
[[Category:FIXME|the list above includes an Application name, but the example does not have one]]
  
'''Decompose the Application.'''
+
The inclusion of threat modelling in the SDLC can help
 +
* Build a secure design
 +
* Efficient investment of resources; appropriately prioritize security, development, and other tasks
 +
* Bring Security and Development together to collaborate on a shared understanding, informing development of the system
 +
* Identify threats and compliance requirements, and evaluate their risk
 +
* Define and build required controls.
 +
* Balance risks, controls, and usability
 +
* Identify where building a control is unnecessary, based on acceptable risk
 +
* Document threats and mitigation
 +
* Ensure business requirements (or goals) are adequately protected in the face of a malicious actor, accidents, or other causes of impact
 +
* Identification of security test cases / security test scenarios to test the security requirements
  
The first step in the threat modeling process is concerned with gaining an understanding of the application and how it interacts with external entities. This involves creating use cases to understand how the application is used, identifying entry points to see where a potential attacker could interact with the application, identifying assets i.e. items/areas that the attacker would be interested in and trust levels which represent the access rights that the application will grant to external entities. This information is documented in the Threat Model document and it is also used to produce data flow diagrams (DFD) for the application. The DFDs show the different paths through the system highlighting the privilege boundaries.
+
== 4 Questions ==
 +
Most threat model methodologies answer one or more of the following questions in the technical steps which they follow:
  
'''Determine and rank threats.'''
+
=== 1. What are we building? ===
 +
As a starting point you need to define the scope of the Threat Model. To do that you need to understand the application you are building, examples of helpful techniques are:
 +
* Architecture diagrams
 +
* Dataflow transitions
 +
* Data classifications
 +
* You will also need to gather people from different roles with sufficient technical and risk awareness to agree on the framework to be used during the Threat Modelling exercise.
  
 +
=== 2. What can go wrong? ===
 +
This is a "research" activity in which you want to find the main threats that apply to your application.  There are many ways to approach the question, including brainstorming or using a structure to help think it through.  Structures that can help include STRIDE, Kill Chains, CAPEC and others.
  
 +
=== 3. What are we going to do about that? ===
 +
In this phase you turn your findings into specific actions.  See [[Threat_Modeling_Outputs]]
  
 +
=== 4. Did we do a good enough job? ===
 +
Finally, carry out a retrospective activity over the work you have done to check quality, feasibility, progress, and/or planning.
  
'''Determine vulnerabilities and mitigation.'''
+
== Process ==
 +
The technical steps in threat modelling involve answering questions: - What are we working on - What can go wrong - What will we do with the findings - Did we do a good job? The work to answer these questions is embedded in some sort of process, ranging from incredibly informal Kanban with Post-its on the wall to strictly structured waterfalls.
  
 +
The effort, work, and timeframes spent on threat modelling relate to the process in which engineering is happening and products/services are delivered. The idea that threat modelling is waterfall or ‘heavyweight’ is based on threat modelling approaches from the early 2000s. Modern threat modelling building blocks fit well into agile and are in wide use.
  
 +
==== When to threat model ====
 +
When the system changes, you need to consider the security impact of those changes. Sometimes those impacts are not obvious.
  
 +
Threat modelling integrates into Agile by asking “what are we working on, now, in this sprint/spike/feature?”; trying to answer this can be an important aspect of managing security debt, but trying to address it per-sprint is overwhelming. When the answer is that the system’s architecture isn’t changing, no new processes or dataflows are being introduced, and there are no changes to the data structures being transmitted, then it is unlikely that the answers to ‘what can go wrong’ will change. When one or more of those changes, then it’s useful to examine what can go wrong as part of the current work package, and to understand designs trade-offs you can make, and to understand what you’re going to address in this sprint and in the next one. The question of did we do a good job is split: the “did we address these threats” is part of sprint delivery or merging, while the broader question is an occasional saw-sharpening task.
  
 +
After a security incident, going back and checking the threat models can be an important process.
  
Each of the above steps are documented as they are carried out. The resulting document is the threat model for the application. This guide will use an example to help explain the concepts behind threat modeling. The same example will be used throughout each of the 3 steps as a learning aid. The example that will be used is a college library website. At the end of the guide we will have produced the threat model for the college library website. Each of the steps in the threat modeling process are described in detail below.
+
==== Threat modelling: engagement versus review ====
 +
Threat modelling at a whiteboard can be a fluid exchange of ideas between diverse participants. Using the whiteboard to construct a model that participants can rapidly change based on identified threats is a high-return activity. The models created there (or elsewhere) can be meticulously transferred to a high-quality archival representation designed for review and presentation. Those models are useful for documenting what’s been decided and sharing those decisions widely within an organization. These two activities are both threat modelling, yet quite different.
  
 +
==== Validating assumptions ====
  
== Decompose the Application ==
+
== Learning More ==
The goal of this step is to gain an understanding of the application and how it interacts with external entities. This goal is achieved by information gathering and documentation. The information gathering process is carried out using a clearly defined structure, this ensures the correct information is collected. This structure also defines how the information should be documented to produce the Threat Model.
 
 
 
===Threat Model Information===
 
The first item in the threat model is the information relating to the threat model.
 
This must include the the following:
 
 
 
# '''Application Name''' - The name of the application.
 
# '''Application Version''' - The version of the application.
 
# '''Description''' - A high level description of the application.
 
# '''Document Owner''' - The owner of the threat modeling document.
 
# '''Participants''' - The participants involved in the threat modeling process for this application.
 
# '''Reviewer''' - The reviewer(s) of the threat model.<br/>
 
Example:
 
 
 
  '''Application Name:''' College Library<br/>
 
  '''Application Version:''' 1.0<br/>
 
  '''Description:''' The college library website is the first implementation of a website to provide librarians and library patrons
 
  (students and college staff) with online services. As this is the first implementation of the website the functionality will be
 
  limited. There will be three users of the application: <br/>
 
  1. Students
 
  2. Staff
 
  3. Librarians<br/>
 
  Staff and students will be able to login and search for books. Librarians will be able to login, add books, add users and search for books.<br/>
 
  '''Document Owner:''' David Lowry<br/>
 
  '''Participants:''' David Rook<br/>
 
  '''Reviewer:''' Eoin Keary<br/>
 
 
 
===Use Cases===
 
Use cases are an important step in gaining an understanding of the applications structure and its use. Use cases capture the functional requirements of an application. They describe the interaction between the actor, i.e. the user of the application and the application to achieve a specific goal. The user cases help define the scope for the threat model as they are essentially documenting the requirements of the application.
 
 
 
Example:<br/>
 
The use case below shows the student actor interacting with the application. A student can carry out two tasks with the application - login and search for books.<br/><br/>
 
[[Image:Student_use_case.gif]]
 
<br/><br/>
 
The use case below shows the college faculty actor interacting with the application. A faculty member can carry out three tasks with the application - login, request books and search for books.<br/><br/>
 
[[Image:Faculty_use_case.gif]]
 
<br/><br/>
 
The use case below shows the librarian actor interacting with the application. A librarian can carry out four tasks with the application - login, search for books, add a book and add a user.<br/><br/>
 
[[Image:Librarian_use_case.gif]]
 
 
 
 
 
===External Dependencies===
 
External dependencies are items external to the code of the application that may pose a threat to the application. These items are typically still within the control of the organisation but possibly not within the control of the development team. The first area to look at when investigating external dependencies is how will the application be deployed in a production environment and what are the requirements surrounding this. This involves looking at how the application is or is not intended to be run. For example if the application is expected to be run on a server that has been hardened to the organisations hardening standard and it is expected to sit behind a firewall then this information should be documented in the external dependencies section. External dependencies should be documented as follows:
 
 
 
# '''ID''' - A unique ID assigned to the external dependency.
 
# '''Description''' - A textual description of the external dependency.
 
 
 
Example:<br/>
 
<br/>
 
<table align="center" cellspacing="1" CELLPADDING="7">
 
 
 
<tr bgcolor="cccccc">
 
<th colspan="2" align="center">External Dependencies</th>
 
</tr>
 
 
 
<tr bgcolor="cccccc">
 
<th>ID</th>
 
<th>Description</th>
 
</tr>
 
 
 
<tr bgcolor="dddddd">
 
<td>1</td>
 
<td>The college library website will run on a Linux server running apache.  This server will be hardened as per the colleges server hardening standard. This includes the application of the latest operating system and application security patches.</td>
 
</tr>
 
 
 
<tr bgcolor="cccccc">
 
<td>2</td>
 
<td>The database server will be mysql and it will run on a Linux server. This server will be hardened as per the colleges server hardening standard. This will include the application of the lastest operating system and application security patches.</td>
 
</tr>
 
 
 
<tr bgcolor="dddddd">
 
<td>3</td>
 
<td>The connection between the Web Server and the database server will be over a private network.</td>
 
</tr>
 
 
 
<tr bgcolor="cccccc">
 
<td>4</td>
 
<td>The Web Server is behind a firewall and the only communication available is TLS.</td>
 
</tr>
 
 
 
 
 
</table>
 
<br/>
 
 
 
===Entry Points===
 
Entry points define the interfaces through which potential attackers can interact with the application or supply it with data. In order for potential attacker to attack an application entry points must exist. Entry points in an application can be layered, for example each web page in a web application may contain multiple entry points. Entry points should be documented as follows:
 
 
 
#  '''ID''' - A unique ID assigned to the entry point. This will be used to cross reference the entry point with any threats or vulnerabilities that are identified. In the case of layer entry points a major.minor notation should be used.
 
# '''Name''' - A descriptive name identifying the entry point and its purpose.
 
# '''Description''' - A textual description detailing the interaction or processing that occurs at the entry point.
 
# '''Trust Levels''' - The level of access required at the entry point is documented here. These will be cross referenced with the trusts levels defined later in the document.
 
 
 
Example:
 
 
 
 
 
===Assets===
 
The system must have something that the attacker is interested in, these items/areas of interest are defined as assets. Assets are essentially threat targets, i.e. they are the reason threats will exist. Assets can be both physical assets and abstract assets. For example an asset of an application might be a list of clients and their personal information, this is a physical asset. An abstract asset might be the reputation of an organsation. Assets are documented in the threat model as follows:
 
 
 
# '''ID''' - A unique ID is assigned to identify each asset. This will be used to cross reference the asset with any threats or vulnerabilities that are identified.
 
# '''Name''' - A descriptive name that clearly identifies the asset.
 
# '''Description''' - A textual description of what the asset is and why it needs to be protected.
 
# '''Trust Levels''' - The level of access required to access the entry point is documented here. These will be cross referenced with the trust levels defined in the next step.
 
 
 
Example:
 
 
 
 
 
===Trust Levels===
 
Trust levels represent the access rights that the application will grant to external entities. The trust levels are cross referenced with the entry points and assets. This allows us to defined the access rights or privileges required at each entry point and those required to interact with each asset. Trust levels are documented in the threat model as follows:
 
 
 
# '''ID''' - A unique number is assigned to each trust level. This is used to cross reference the trust level with the entry points and assets.
 
# '''Name''' - A descriptive name that allows you to identify the external entities that have been granted this trust level.
 
# '''Description''' - A textual description of the trust level detailing the external entity who has been granted the trust level.
 
 
 
Example:
 
 
 
 
 
===Data Flow Diagrams===
 
All of the information collected allows us to accurately model the application through the use of Data Flow Diagrams (DFDs). The DFDs will allow us to gain a better understanding of the application by providing a visual representation of how the application processes data. The focus of the DFDs is on how data moves through the application and what happens to the data as it moves. DFDs are hierarchical in structure so they can be used to decompose the application into subsystems and lower-level subsystems. The high level DFD will allow us to clarify the scope of the application being modeled. The lower level iterations will allow us to focus on the specific processes involved when processing specific data. There are a number of symbols that are used in DFDs for threat modeling. These are described below:
 
 
 
'''External Entity'''<br/>
 
The external entity shape is used to represent any entity outside the application that interacts with the application via an entry point.<br/><br/>
 
[[Image:DFD_external_entity.gif]]
 
<br/><br/>
 
 
 
'''Process'''<br/>
 
The process shape represents a task that handles data within the application. The task may process the data or perform an action based on the data.<br/><br/>
 
[[Image:DFD_process.gif]]
 
<br/><br/>
 
 
 
'''Multiple Process'''<br/>
 
The multiple process shape is used to present a collection of subprocesses. The multiple process can be broken down into its subprocesses in another DFD.<br/><br/>
 
[[Image:DFD_multiple_process.gif]]
 
<br/><br/>
 
 
 
'''Data Store'''<br/>
 
The data store shape is used to represent locations where data is stored. Data stores do not modify the data they only store data.<br/><br/>
 
[[Image:DFD_data_store.gif]]
 
<br/><br/>
 
 
 
 
 
'''Data Flow'''<br/>
 
The data flow shape represents data movement within the application. The direction of the data movement is represented by the arrow.<br/><br/>
 
[[Image:DFD_data_flow.gif]]
 
<br/><br/>
 
'''Privilege Boundary'''<br/>
 
The privilege boundary shape is used to represent the change of privilege levels as the data flows through the application.<br/><br/>
 
[[Image:DFD_privilge_boundary.gif]]
 
<br/><br/>
 
 
 
 
 
 
 
Example:
 
 
 
== Determine and rank threats ==
 
== Determine vulnerabilities and mitigation ==
 
  
 +
==== Agile approaches ====
 +
* Main agile threat modelling page
 +
* Specific agile approach1 TM page
 +
* Specific agile approach2 TM page
  
 +
==== Waterfall approaches ====
 +
* Main waterfall TM page
  
 +
== Additional/External references ==
 
[[Category:OWASP Code Review Project]]
 
[[Category:OWASP Code Review Project]]
 +
[[Category:Threat_Modeling]]
 +
[[Category:SAMM-TA-1]]

Latest revision as of 16:44, 14 October 2018

Threat modelling works to identify, communicate, and understand threats and mitigations within the context of protecting something of value.

Threat modelling can be applied to a wide range of things, including software, applications, systems, networks, distributed systems, things in the internet of things, business processes, etc. There are very few technical products which cannot be threat modelled; more or less rewarding, depending on how much it communicates, or interacts, with the world. Threat modelling can be done at any stage of development, preferably early - so that the findings can inform the design.

What

Most of the time, a threat model includes:

  • A description / design / model of what you’re worried about
  • A list of assumptions that can be checked or challenged in the future as the threat landscape changes
  • A list of potential threats to the system
  • A list of actions to be taken for each threat
  • A way of validating the model and threats, and verification of success of actions taken

Our motto is: Threat modelling: the sooner the better, but never too late.

Why

The inclusion of threat modelling in the SDLC can help

  • Build a secure design
  • Efficient investment of resources; appropriately prioritize security, development, and other tasks
  • Bring Security and Development together to collaborate on a shared understanding, informing development of the system
  • Identify threats and compliance requirements, and evaluate their risk
  • Define and build required controls.
  • Balance risks, controls, and usability
  • Identify where building a control is unnecessary, based on acceptable risk
  • Document threats and mitigation
  • Ensure business requirements (or goals) are adequately protected in the face of a malicious actor, accidents, or other causes of impact
  • Identification of security test cases / security test scenarios to test the security requirements

4 Questions

Most threat model methodologies answer one or more of the following questions in the technical steps which they follow:

1. What are we building?

As a starting point you need to define the scope of the Threat Model. To do that you need to understand the application you are building, examples of helpful techniques are:

  • Architecture diagrams
  • Dataflow transitions
  • Data classifications
  • You will also need to gather people from different roles with sufficient technical and risk awareness to agree on the framework to be used during the Threat Modelling exercise.

2. What can go wrong?

This is a "research" activity in which you want to find the main threats that apply to your application. There are many ways to approach the question, including brainstorming or using a structure to help think it through. Structures that can help include STRIDE, Kill Chains, CAPEC and others.

3. What are we going to do about that?

In this phase you turn your findings into specific actions. See Threat_Modeling_Outputs

4. Did we do a good enough job?

Finally, carry out a retrospective activity over the work you have done to check quality, feasibility, progress, and/or planning.

Process

The technical steps in threat modelling involve answering questions: - What are we working on - What can go wrong - What will we do with the findings - Did we do a good job? The work to answer these questions is embedded in some sort of process, ranging from incredibly informal Kanban with Post-its on the wall to strictly structured waterfalls.

The effort, work, and timeframes spent on threat modelling relate to the process in which engineering is happening and products/services are delivered. The idea that threat modelling is waterfall or ‘heavyweight’ is based on threat modelling approaches from the early 2000s. Modern threat modelling building blocks fit well into agile and are in wide use.

When to threat model

When the system changes, you need to consider the security impact of those changes. Sometimes those impacts are not obvious.

Threat modelling integrates into Agile by asking “what are we working on, now, in this sprint/spike/feature?”; trying to answer this can be an important aspect of managing security debt, but trying to address it per-sprint is overwhelming. When the answer is that the system’s architecture isn’t changing, no new processes or dataflows are being introduced, and there are no changes to the data structures being transmitted, then it is unlikely that the answers to ‘what can go wrong’ will change. When one or more of those changes, then it’s useful to examine what can go wrong as part of the current work package, and to understand designs trade-offs you can make, and to understand what you’re going to address in this sprint and in the next one. The question of did we do a good job is split: the “did we address these threats” is part of sprint delivery or merging, while the broader question is an occasional saw-sharpening task.

After a security incident, going back and checking the threat models can be an important process.

Threat modelling: engagement versus review

Threat modelling at a whiteboard can be a fluid exchange of ideas between diverse participants. Using the whiteboard to construct a model that participants can rapidly change based on identified threats is a high-return activity. The models created there (or elsewhere) can be meticulously transferred to a high-quality archival representation designed for review and presentation. Those models are useful for documenting what’s been decided and sharing those decisions widely within an organization. These two activities are both threat modelling, yet quite different.

Validating assumptions

Learning More

Agile approaches

  • Main agile threat modelling page
  • Specific agile approach1 TM page
  • Specific agile approach2 TM page

Waterfall approaches

  • Main waterfall TM page

Additional/External references

Retrieved from "https://wiki.owasp.org/index.php?title=Application_Threat_Modeling&oldid=244224"