More and more organizations are employing threat modeling practices in an effort to improve the security architecture of their applications. This process can be very costly and time consuming as it takes a security expert (or a number of experts) to identify high value assets, analyze the application and/or infrastructure, assess the risk and prioritize the threats and vulnerabilities, and finally deliver the security requirements to the software architects and development team. This must be done for each application, and should also be revisited for each new feature added, in order to maintain security after initial release.
To understand the practice of threat modeling, we must first distinguish between the two disparate classes of security weaknesses that exist. Some articulate the difference as “business logic” vs. “technical” or “semantic” vs. “syntactic”. To build on a term familiar to developers, we classify threats into two different “domains”. Each kind of software weakness is domain-specific or domain-agnostic (or both). Making this distinction is critical.
- Domain-agnostic threats are software weaknesses that are the result of the type of application, the choices of technologies/protocols, the type of data being handled, the relevant compliance regulations and so on. For example, XSS is a common weakness for all web applications and SQL inject applies to all applications that use SQL-based backend databases. They are commonly repeated and can be easily catalogued.
- Domain-based threats are business logic threats that are usually identified by domain experts when assessing the risks associated with the functionality of the application. An example is the need for a second approval when sending more than $1,000 in wire transfers.
Now that we have distinguished these two distinct types of weaknesses, you might notice that Domain-agnostic threats, given their characteristic consistency, can be compiled into a knowledge base of the common threats. This library effectively serves as best practice guidelines for application security within the organization. Furthermore, the domain-agnostic threats can be scaled to numerous projects and releases in an efficient, repeatable manner by employing automation tools and processes. There are two situations where scaling and automating threat modeling is a necessity:
- In large enterprises where a very small application security team needs to attend to the needs of a large portfolio of applications being developed and maintained.
- When organizations transition to Agile, DevOps or Continuous Delivery methodologies, and there is a need to repeat the threat modeling activity up to 5–10x more often due to the greater number of releases potentially being built each year.
Streamlining the domain-agnostic portion of the threat modeling activity through automation will allow application security experts to focus their manual efforts toward identifying domain-based threats, which are unique for every application and require more attention and due-diligence. Additionally, precious man-hours are saved through automation, which prevents the threat modeling activity from becoming a bottleneck, allowing it to harmonize with the rapid release cycles of Agile development.
About the Guest Blogger
Ehsan Foroughi is an application security expert with 8+ years of management and technical experience in security research. He led the Vulnerability Research Subscription Service for TELUS Security Labs. As an entrepreneur, he has also served as the founder and CTO of TELTUB, a successful telecommunication startup. Ehsan holds a M.Sc. from the University of Toronto in Computer Science, a B.Eng. from Sharify University of Technology, as well CISM and CISSP designations.