This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Designing Secure Web Applications With Application Threat Modeling

Revision as of 09:55, 27 March 2009 by EoinKeary (talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Designing Secure Web Applications With Application Threat Modeling

Security flaws due to in-secure design constitute the majority of the vulnerabilities found in web applications today, for example 50-70% of all defects found in web applications are due to security design flaws. Security flaws are also very widespread in business critical web applications used today, for example 76% of financial sites have still at least one critical design flaw that can be exploited to cause financial fraud, identify theft, reputation-brand damage, denial of service to customers etc. From the perspective of designing secure web applications, the fact that security flaws are still so pervasive in web applications today highlights the need for architects to adopt security engineering practices and threat analysis methodologies to identify potential vulnerabilities.

From the defensive security design perspective, secure architectures can be designed by following security engineering processes, secure architecture design standards and secure architecture design patterns. From the offensive security design perspective, applications can only be as secure as the threats that are designed to mitigate to, therefore, while designing web applications, architects need to be aware of potential design flaws that can be potentially be exploited by an attacker to cause damage to the application and/or to the end user.

Application Threat Modeling is a tactical activity that can be used by architects during design to visualize the application threat scenarios, the assets that can be attacked and to identify the potential vulnerabilities that can be exploited so that countermeasures can be proactively designed to mitigate them. From the perspective of analyzing threats, the first step consists on analyzing the application business objectives and then to identify the assets that can be attacked and how can be attacked. The potential attacks can be analyzed using attack trees, use and misuse cases and by decomposing the application in tiers and components to determine which threats affect them and how. Once the attacks that lead to exploit of vulnerabilities are identified it is possible to devise mitigations to protect the assets and to mitigate such vulnerabilities. Ranking vulnerabilities according to the risk that they pose helps to decide which countermeasure to implement and prioritize the effort.