Threat Modeling

Threat modeling is rapidly gaining momentum as companies are trying to identify threats, attacks and vulnerabilities in their web applications ahead of time. This helps them get a clear understanding of the risk to their web applications and implement controls to manage the risk in the context of those web applications. Threat modeling can help you create an attack profile of your web applications by not only identifying both technical and logical threats but also assigning risk rating based on probability and Loss exposure ratio. This can be very useful in prioritizing the mitigation efforts in building secure architecture. Threat modeling is a structured approach to identify, quantify and manage the security risks associated with your applications.

An abuse case, on the other hand, is a use case from the point of view of an attacker. Its purpose is to capture the threats and the security requirement pertaining to a particular functionality (use case) of a system. Abuse case modeling is very helpful in

-> Identifying the type of attacker(s) to the system.
-> Identifying the threats to the system from those attacker(s).
-> Identifying the mitigating steps for those threats.

Abuse cases go beyond the architecture. Once an abuse case is generated, it can be used by

-> Architects – To identify threats and mitigating controls to the system.
-> Developers – Understand potential vulnerabilities and the mitigation steps to write secure code.
-> QA – Generate test cases targeting those specific vulnerabilities and identifying if proper mitigating controls has been implemented by developers.
-> Secure Code Review – Do a more specific code review on the implementation of mitigating controls.
-> Vulnerability Assessment / Penetration Testing – To perform targeted assessment of vulnerabilities identified in the abuse case.

Our consultants have a strong background not just as security professionals but also as architects and are best suited to build threat model / abuse case model and suggest mitigating controls which would not impact the functionality or the performance of the application while integrating proper mitigating controls to make your applications more secure. Contact us at sales@myappsecurity.com to speak with a specialist.