This Guide contains the following modules:
| • | Overview of Web application threat Models |
| • | How to: create a threat model for Web applications during design |
| • | Memo form: Web Application Security Framework |
| • | Walkthrough: create a threat model for a Web application |
| • | Template: Web application threat model |
| • | Template example: Web application threat model |
Five major steps 1 of Threat modeling are shown. Step 2 to Step 5 should be repeated to Gradually refine the threat model. As the application development cycle advances, you will find more content about the application design and be able to add more details.
Figure 1. Repeated Threat modeling process
The five steps for threat modeling are:
| • | Step 1: Determine the security objectives.Clear goals help you focus on Threat modeling activities and determine how much work will be done in subsequent steps. |
| • | Step 2: Create an application overview.Listing important characteristics and participants of an application one by one helps to identify related threats in step 4. |
| • | Step 3: break down the application.A comprehensive understanding of the application structure makes it easier for you to discover more relevant and specific threats. |
| • | Step 4: Determine the threat.Use the details in steps 2 and 3 to identify threats related to your application solution and context. |
| • | Step 5: determine the vulnerability.Check the layers of the application to identify threats-related vulnerabilities. Use the vulnerability category to help you focus on the most common error areas. |
Table 1 lists many common use schemes and the resources that should be used in each scheme.
| Table 1: Solutions and related resources | |||||
| Solution | Resources | ||||
| New to threat modeling. |
|
||||
| Quick Start. |
|
||||
| Prepare for threat modeling. |
|
||||
| Template or example is required. |
|
||||
| References are required to help identify threats and vulnerabilities. |
|
||||
Threat modeling is an engineering technology that you can use to help identify threats, attacks, vulnerabilities, and countermeasures in the context of an application solution. Threat modeling activities can help you:
| • | Determine security objectives. |
| • | Identify related threats. |
| • | Determine relevant vulnerabilities and countermeasures. |
Threat modeling:
| • | Make the application design meet your security goals. |
| • | This helps you balance your decisions on major projects. |
| • | Reduces the risk of security issues arising during development and operations. |
Threat modeling uses the following terms:
| • | Assets.An asset is a value resource. It varies by angle. For an enterprise, assets may refer to information availability or information itself, such as customer data. It may also be invisible, such as the company's reputation. Attackers may abuse your applications to illegally access data or perform privileged operations. |
| • | Threat.A threat is an unexpected event. It is a potential event. It is generally best described as an influence that may damage assets or targets or endanger their security. In essence, it may be malicious or not malicious. |
| • | Vulnerability.A vulnerability is a vulnerability that may be exploited by a certain aspect or function of the system. Vulnerabilities exist at the network, host, or application level, including operation practices. |
| • | Attack (or exploitation ).An attack is a threat by exploiting one or more vulnerabilities. This behavior may be performed by someone by tracking threats or exploiting vulnerabilities. |
| • | Countermeasure.Countermeasures can solve vulnerabilities to reduce the possibility or impact of attacks. They do not directly address threats; instead, they address the factors that define threats. The scope of countermeasures includes improving application design, code improvement, and operation practices. |
Modes and practicesThe Threat modeling method has been optimized to help you identify vulnerabilities in the context of the application solution. In this way, you can quickly determine what you know, what you don't know, and what you need to know next. Security goals can help you succeed and limit your investment.
The pattern-based approach allows you to organize vulnerabilities in a more systematic and repetitive manner. It also helps you take advantage of common knowledge and avoid repeated efforts.
The type (scheme and context) of the application you want to build is an important aspect of relevance. For example, the vulnerabilities of Internet-oriented web applications may be different from those of reusable components in Intranet-oriented business applications.
Table 2 summarizes the main concepts related to the threat modeling method.
| Table 2: Main Concepts | |||||||
| Concept | Description | ||||||
| Modeling to Reduce Risks | Threat modeling is performed to determine when and where more energy should be invested. There are many vulnerabilities, threats, and attacks. Your applications are unlikely to encounter them. Your company is unlikely to have to solve them all. Threat modeling helps you determine where your organization needs to focus on. |
||||||
| Incremental Rendering | Threat modeling is performed repeatedly. You don't need to worry about missing details in any single loop-make each loop effective. You will perform the following operations repeatedly:
Constantly present information available to you, and clarify what you know now and what you need to know next. |
||||||
| Precise Context | Context is precise to provide relevance. Context accuracy refers to context-specific, application type, and application solution to enhance information relevance. Because different application types, application usage, and roles generate different threats and vulnerabilities, You need to view application cases and roles to truly identify threats and actual vulnerabilities. |
||||||
| Boundary | Creating a boundary helps define constraints and goals. Boundary helps you determine what is absolutely not allowed, what needs to happen, and what is best to happen. |
||||||
| Entry and Exit conditions | By defining the entry and exit conditions, you can establish a test to test whether the test is successful, to know when the threat model is completed (good enough), and to ensure that the time spent in the activity is appropriate. |
||||||
| Communication and collaboration tools | Your threat model is a communication and collaboration tool that should be used to improve knowledge sharing and understanding. Threat modeling is used to focus energy and decision-making on design, development, testing, operations, and business. By recording threats and vulnerabilities in the document (even if they are resolved), you can help everyone understand them and avoid accidental omission of certain steps. |
||||||
| Mode-based Information Model | By using a pattern-based information model, you can determine the pattern of repetitive problems and solutions and organize them into categories. You can then use these categories to break down the application to further analyze and identify vulnerabilities related to each category for the application. By organizing vulnerabilities in this way, you can identify and handle vulnerabilities in a more systematic manner, and help you take advantage of common knowledge. In short, you do not have to start from scratch or become an expert on some issues. Categories can also facilitate information reuse and effective communication. You can use these pattern-based categories to organize and share principles and practices. |
||||||
| Major engineering decisions | A good model indicates your high-risk engineering decision-making and design choices. These high-risk options are good candidates for focusing on prototype results. |
||||||
The Web Application Security Framework defines a set of vulnerability categories for Web applications. These categories are the most common areas where errors occur. They indicate areas where attention is most important.
The categories defined by the Web Application Security Framework are derived from security experts who examine and analyze the top-level security issues of many web applications. These categories are refined by feedback from Microsoft consultants, Product Support Engineers, customers, and Microsoft partners.
Table 3 summarizes the categories in the Web Application Security Framework.
| Table 3: Web Application Security Framework | |
| Category | Description |
| Input and data verification | How can I know that the input received by the application is valid and safe? Input Validation refers to how the application filters, deletes, or rejects input before other processing. |
| Authentication | Who are you? Identity Authentication is a process in which one entity authenticates another entity. It is usually performed by creden, such as the user name and password. |
| Authorization | What can you do? Authorization is a way for applications to provide access control over resources and operations. |
| Configuration Management | Who is your application running? Which database does it connect? How to manage your applications? How do I protect these settings? Configuration management refers to how your application handles these operations. |
| Sensitive data | How does your application process sensitive data? Sensitive data refers to how your application processes all data that must be protected, whether in memory, on the network, or permanently stored. |
| Session management | How does your application process and protect user sessions? A session is a series of related interactions between a user and your web application. |
| Encryption | How to maintain confidentiality )? How can we prevent others from tampering with your data or database (integrity )? How to provide seeds for random values that must have strong confidentiality? Encryption means that the application ensures the confidentiality and integrity. |
| Parameter operations | How does your application operate on parameter values? For applications, form fields, query string parameters, and cookie values are often used as parameters. Parameter operations mean that the application protects these values from tampering, and that the application processes input parameters. |
| Exception management | What will your application do when a method call in the application fails? How much is displayed? Do you return the error message to the end user in a friendly manner? Do you pass valuable exception information to the caller? Is the failure method of the application friendly? |
| Review and record | When did someone do anything? Review and record refers to the way in which applications record security-related events. |
You can use this framework to help identify threats and vulnerabilities. During threat identification, you should use it to help identify common threats related to your own application architecture. To help identify vulnerabilities, you can check applications layer by layer in a similar way and consider each vulnerability category in each layer.
Tool IntegrationThreat modeling and other security engineering activities can be supported through design and development tools.Modes and practicesThreat modeling tools are supported by the following tools:
| • | Visual Studio team system integration.In the MSF agile software development processPatterns & PracticesThreat modeling methods are integrated into Microsoft Visual Studio team system. For more information, see MSF process guidance or visit the MSF web site. |
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
