Application Threat Modeling

Build more secure software

Next Steps:

Overview

Research shows that fixing security problems early in the development cycle is more efficient and cost-effective than the traditional penetrate-and-patch model. Foundstone application threat modeling services allow our consultants to identify software security problems — often before the software is even built.

According to software engineering studies, about 80% of security bugs and flaws are introduced during the early stages of software development, often before even a single line of code is written. Using application threat modeling, we can typically identify over 75% of the issues, enabling development teams to prevent implementing insecure software.

Key Benefits

No matter when it is performed within the software development lifecycle, threat modeling can have a significant positive impact on the security of an application. When performed early in the development lifecycle, threat modeling can uncover security risks that can be mitigated with design changes and proper implementation. When performed later on in the development lifecycle, threat modeling can identify design and implementation issues that can be tested and verified via code reviews and penetration testing. In fact, Foundstone recommends starting any sizeable code review with a threat model. Threat models allow us to efficiently navigate through large and complex code bases. Building a threat model helps scale down the effort required for a code review by 40% to 60%, allowing consultants to focus on the security-significant portions of the code.

Foundstone’s capability in building threat models extends from our software security consultants who have performed threat models and source code audits on numerous client applications, as well as their own software. All of our software security consultants have worked as development practitioners on large enterprise software systems with software vendors, or within corporate IT departments. Thus, they understand the software development process as well as why and how security bugs are introduced.

Methodology

Conceptually, threat modeling is a systematic process that consists of several discrete steps with clearly defined entry and exit criteria, deliverables, and objectives. Based on our experience, successful modeling activity usually follows a pattern. By following key steps, we ensure that our modeling activity is focused and effective.

As with all good processes, the first step is to plan and optimize the process for a successful outcome. This includes:

  • Identifying the threat modeling team
  • Defining the risk ranking model to be used (if any)
  • Agreeing on terminology for the modeling activity

The second step is to model the business view, or the business environment, in which the system operates. This needs to be analyzed to ensure that the systems’ functionality and business purpose is understood. Laws, guidelines, policies, and other relevant regulations must be considered.

In the final step, the system is analyzed from a technical standpoint. A solid understanding of the system is important for the success of the whole process. As part of this step, Foundstone consultants perform a detailed architecture and design review for security that focuses on identifying the attack surface and potential attack vectors.

Based on the information collected during this process, we can model threats and existing countermeasures. From there, we develop a model of your risk level. We designed our methodology to be generic enough for different risk models. Often, the entire process is iterative in nature.

We produce both graphical and textual models that are used to drive pragmatic security decisions. Our deliverables typically include Microsoft Office Visio-based models of the application architecture, as well as the sorted and tabulated data and results. Our models can include testing plans on demand.