Over the past decade, security awareness has increased, but so has the prevalence of powerful tools at the hands of amateurs and experts alike. Other highly prevalent attacks against web applications include cross-site scripting, cross-site request forgery and brute force attacks. According to the Verizon Data Breach report 2013, forms of hacking accounted for 52% of breaches, of which SQL Injection commanded 8% of the attacks.
And while security programs across enterprises have matured, effective risk mitigation techniques in the form of secure architecture and secure software development have not been given the appropriate attention. Exercises to put a process of secure development in place have been largely theoretical and in most cases not scalable across global organizations. Security as a whole, still resides on the back burner, instead of being an integral part of the development process. Costs associated with post-production testing and incident response continue to soar, as compared to the much lower cost of building applications securely from the ground up.
Threat modeling is the practice of creating models that identify, predict and define internal and external security threats of a given software program or computer system. Here’s what we’ve identified as the top 5 reasons to leverage threat modeling, as a way to optimally mitigate your application risk. With threat modeling you’re able to:
1. Allow security and development teams to pinpoint high value targets and data exposure early in the design phase, before applications are moved to production.
2. Promote the use of secure code, enforcing standards organization-wide.
3. Enable pen testers to focus on the most critical entry points in applications.
4. Generate reports and checklists to validate that proper security controls are in place to meet compliance objectives.
5. Identify threats in applications, classify them by risk, and predict the business and technical impact, if an attack were to be carried out against your organization.
ThreatModeler™, MyAppSecurity’s flagship offering, is the industry’s first automated, scalable, and repeatable threat modeling product. Please contact us to learn more about ThreatModeler™.