Category Archives: Risk

Threat modeling at a moment’s notice

If information security professionals want to stay current, they need to be on top of the latest trends and technology in their field. They also need to be open to acquiring new skills and methodologies at a moment’s notice.

To make a long story short, today I was assigned a security architecture review project by my boss. It calls for application threat modelling using a risk assessment model.

I have no experience with application threat modeling.

Research Powers Engage!

What is threat modelling?

Threat modeling is an approach for analyzing the security of an application. It’s a structured approach that enables you to identify, quantify, and address the security risks associated with an application. Threat modelling is not an approach to reviewing code, but it does complement the security code review process. The inclusion of threat modelling in the SDLC can help to ensure that applications are being developed with security built-in from the very beginning. This, combined with the documentation produced as part of the threat modelling process, can give the reviewer a greater understanding of the system. This allows the reviewer to see where the entry points to the application are and the associated threats with each entry point.

I’m also looking at two risk assessment models. STRIDE and DREAD.

STRIDE is a system developed by Microsoft for thinking about computer security threats. It provides a mnemonic for security threats in six categories.

The threat categories are:

DREAD is part of a system for risk-assessing computer security threats previously used at Microsoft. It provides a mnemonic for risk rating security threats using five categories.

The categories are:

  • Damage – how bad would an attack be?
  • Reproducibility – how easy is it to reproduce the attack?
  • Exploitability – how much work is it to launch the attack?
  • Affected users – how many people will be impacted?
  • Discoverability – how easy is it to discover the threat?

In the end it doesn’t matter what model I choose… as long as the engagement comes to a satisfying end for both the client and myself.

The client will be happy and I will have gained a new skill set for future engagements.

What have you learned today?

This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit TechPageOne. Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.