Threat modeling is an approach for analyzing the security of an application. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application.

1. Secure Design: Threat Modeling
Narudom Roongsiriwong, CISSP
OWASP Meeting, September 30, 2021

2. WhoAmI
● Lazy Blogger
– Japan, Security, FOSS, Politics, Christian
– http://narudomr.blogspot.com
● Information Security since 1995
● Web Application Development since 1998
● SVP, Cloud and Security Architect, Digital Innovation and Data Group,
Bank of Ayudhya (Krungsri) PCL
● Security and Risk Committee at National Digital ID Co.,Ltd.
● APAC Research Advisory Council Member at Cloud Security Alliance Asia Pacific
● Co-Chair, Hybrid Cloud Security Working Group at Cloud Security Alliance
● Consultant, OWASP Thailand Chapter
● Chief Information Security Officer (CISO) of the Year 2017, NetworkWorld Asia
● Contact: narudom@owasp.org

3. Application Security Risks
Weakness
Attack
Threat
Agents
Impact
Weakness
Attack
Attack
Vectors
Security
Weaknesses
Technical
Impacts
Business
Impacts
Attack
Impact
Impact
Asset
Function
Asset
Weakness
Control
Control
Control
Weakness
Security
Controls
Source: OWASP: OWASP Top 10 2017

4. When We Do Threat Modeling

5. Security as an Afterthought
Relative cost of security fixes, based on time of detection
Source: The National Institute of Standards and Technology (NIST)

6. Attack Surface Evaluation
Attack Surface Evaluation

7. Attack Surface
System’s Surface
(e.g., API)
Attacks
Intuition
Reduce the ways attackers can penetrate surface
Increase system’s security
A software or application’s attack surface is the measure of its
exposure of being exploited by a threat agent, i.e., weaknesses
in its entry and exit points that a malicious attacker can exploit
to his or her advantage.

8. Attacks on the Internet
Source: IBM Software Group, Rational Software

9. Relative Attack Surface
● Simple way of measuring potential for attack
● Goal of a product should be to reduce attack surface
– Lower privilege
– Turn features off
– Defense in depth
● Does not address code quality
● Hard to compare dissimilar products

10. Attack Surface Analysis
Attack Surface Analysis helps you to:
● Identify what functions and what parts of the system you
need to review/test for security vulnerabilities
● Identify high risk areas of code that require defense-in-depth
protection - what parts of the system that you need to
defend
● Identify when you have changed the attack surface and need
to do some kind of threat assessment

11. Defining the Attack Surface of an Application
● The sum of all paths for data/commands into and out of the
application
● The code that protects these paths
– including resource connection and authentication,
authorization, activity logging, data validation and encoding
● All valuable data used in the application
– Including secrets and keys, intellectual property, critical
business data, personal data and PII, and
● The code that protects these data
– Including encryption and checksums, access auditing, and
data integrity and operational security controls.

12. Identifying and Mapping the Attack Surface
Points of entry/exit: Types based on function, design and
technology:
● User interface (UI) forms and fields
● HTTP headers and cookies
● APIs
● Files
● Databases
● Other local storage
● Email or other kinds of messages
● Run-time arguments
● ...Your points of entry/exit
● Login/authentication entry points
● Admin interfaces
● Inquiries and search functions
● Data entry (CRUD) forms
● Business workflows
● Transactional interfaces/APIs
● Operational command and monitoring
interfaces/APIs
● Interfaces with other
applications/systems
● ...Your types

13. Measuring and Assessing the Attack Surface
Focus on remote entry points – interfaces with outside systems and to the
Internet – and especially where the system allows anonymous, public access.
● Network-facing, especially internet-facing code
● Web forms
● Files from outside of the network
● Backwards compatible interfaces with other systems – old protocols,
sometimes old code and libraries, hard to maintain and test multiple
versions
● Custom APIs – protocols etc – likely to have mistakes in design and
implementation
● Security code: anything to do with cryptography, authentication,
authorization (access control) and session management

14. Threat Modeling
Threat Modeling

15. What Is Threat Modeling?
Threat modeling is an approach for analyzing the security
of an application. It is a structured approach that enables
you to identify, quantify, and address the security risks
associated with an application.

16. Why Threat Modeling?
● It is better to find security flaws when there is time to fix
them.
● It can save time, revenue and the reputation of your
company.
● To build a secure application.
● To bridge the gap between developers and security.
● It provides a document of all the identified threats and rated
threats.
● It offers knowledge and awareness of the latest risks and
vulnerabilities.

17. How to Do Threat Modeling
Define
Model
Measure
Step 1 Identify security objectives and assets
Step 2 Profile the application
Step 3 Decompose the application
Step 4 Identify threats and vulnerabilities
Step 5 Document the threats
Step 6 Prioritize and mitigate the threats

18. Identify Security Objectives and Assets
● Examples
– Prevention of data theft
– Protection of IP
– Provide system high availability
● Inputs to identify security objectives
– Internal organizational policies and standards
– Regulations, compliance, and privacy requirements
– Business and functional requirements

19. Identify the physical topology
Identify the logical topology
Determine components, services, protocols, and ports
Identify data elements
Generate a data access control matrix
Profile the Application

20. Decompose the Application
Identify trust
boundaries
Identify entry
points
Identify exit
points
Identify data
flows
Identify
privileged code
Document the
security profile

21. Identify threats and vulnerabilities
● Think like an attacker (brainstorming and using attack trees)
● Use a categorized threat list
– NSA IAM
– OCTAVE
– STRIDE

22. Attack Tree Example

23. Attack Tree with Indicator Value Example
X, Y, Z
X – cost
Y – probability
Z – technical ability

24. STRIDE Category of Threats
Goal Core Description
Spoofing Authentication Can an attacker impersonate another user or identity?
Tampering Integrity Can the data be tampered with while it is in transit or in
storage or archives?
Repudiation Accountability Can the attacker (user or process) deny the attack?
Information
Disclosure
Confidentiality Can information be disclosed to unauthorized users?
Denial of
service
Availability Is denial of service a possibility?
Elevation of
privilege
Authorization Can the attacker bypass least privilege implementation
and execute the software at elevated or administrative
privileges?

25. Document the Threat: Example
Threat Identifier T#0001
Threat description Injection of SQL commands
Threat targets Data access component.
Backend database
Attack techniques Attacker appends SQL commands to user name, which
is used to form an SQL query.
Security impact Information disclosure.
Alteration.
Destruction (drop table/procédures, delete data, etc.).
Authentication bypass.
Risk High.

26. Risk Calculation Tool: CVSS V3.0 Calculator
https://www.first.org/cvss/calculator/3.0

27. Q&A