Threat modeling is the process that improves software and network security by identifying and rating the potential threats and vulnerabilities your software may face, so that you can fix security issues before it’s too late. The process is then followed by defining countermeasures which will prevent those same threats and exploits likely to put your system at risk. This allows you to address threats with the appropriate solutions in a logical order, starting with the ones which present the greatest risk.
The first part of your threat modeling process is identifying the assets needing protection. Examples of important assets are client databases, software pages, and software availability.
Creating an architecture overview
The second step in threat modeling is laying out each function of your software, including its architecture, data flow, and technologies. The goal in this step is seeking potential vulnerabilities in your software’s design and implementation.
In this step you will break down the many elements of your software to gain a detailed understanding of your software’s components. Through this step you will create a security profile for your software, starting with the traditional areas of vulnerability. The security profile will come from identifying your software’s trust boundaries, data flow, entry points, and privileged code.
Identifying data flow
Trace your software’s data input from entry to exit in order to understand your software’s interaction with external systems and how internal components interact. Identifying data flow is critical as code that is given info from a foreign trust boundary should assume that the data is malicious, and should perform a validation prior to accepting it.
Identifying entry points
Your software’s entry points may also serve as entry points for potential attacks. An entry point might include a front-end web application for HTTP requests – a point intended to be exposed by clients. Other entry points may be internal ones, exposed by subcomponents across your software.
Identifying privileged code
According to Esus, privileged code allows you to give temporary permission to code which would not normally have permission to run, usually to access secure resources in your software. The key with privileged code is ensuring each resource and asset it interacts with is not exposed to potential malicious code.
Documenting the security profile
This is where you will discover and map-out all potential vulnerabilities and threats in your software’s design, implementation, authentication and/or configuration thus creating a security profile.
Rating the threats
At this point in your threat modeling process, you should already have a list of potential vulnerabilities and threats. By rating threats you can prioritize and focus on the treats putting you most at risk. The threat rating process should be influenced by the chance of the threat causing great damage to your software and other potential attacks that could occur.
OWASP recommends the Microsoft threat rating system called DREAD.