登录查看更多内容

What is a threat model, and how can you use it to test web security?

由人工智能和领英社区提供技术支持

If you are an application developer, you know how important it is to protect your web applications from malicious attacks. But how can you identify and prevent the most common and dangerous threats? One way is to use a threat model, a systematic approach to analyze and prioritize the risks to your web assets. In this article, you will learn what a threat model is, and how you can use it to test web security.

在这篇协作文章中查找专家回答

由社区从 3 条内容中精选。了解更多

1 What is a threat model?

A threat model is a document that describes the potential threats to your web application, based on its architecture, functionality, and data flows. A threat model helps you to understand the attack surface, or the ways that an attacker can exploit your web application, and the impact, or the consequences of a successful attack. A threat model also helps you to define the security requirements, or the measures that you need to implement to mitigate the threats.

添加您的观点

Usman Shahzad, CISSP, GICSP

IT/OT GRC Leader | CISSP | GICSP | ISA 62443 Cybersecurity Expert | ISO 27001:2022 Lead Auditor | ISO 22301:2019 Lead Implementer | ISO 27005:2022 | CASP+ | CEH
举报内容
A threat model describes the possible dangers against a particular system(including web applications), its weaknesses, as well as the possible losses that may result from these flaws in a precise way. This is a preventive method to identify possible security vulnerabilities that can be used by threat agents. The Core Components of Threat Modelling is : -1) Asset Identification -2) Threat and VA -3)Risk Assessment -4) Deploy and Implement the Security Controls The answer for Web Scenario for the How part is : -1) Simulate the Attack Scenarios -2) Perform the PT -3) Through code review -4) Perform the VA in the context of the developed Threat model. -5) Perform Testing (Exploit Vulnerabilities Effectiveness of Controls)

已翻译

赞
John Boden

Consultant IT Architect | MBCS Accredited Professional
举报内容
As defined in the National Institute of Standards and Technology (NIST) framework and commonly adopted by many other countries. Threat modelling is a form of risk assessment that models aspects of the attack and defence sides of a particular logical entity. This should be used in conjunction with wider NIST cyber security framework combining identify, protect, detect, respond and recover. There is also soon to be a govern aspect to considered in the new 2.0 NIST framework due in 2024.

已翻译

赞

2 How to create a threat model?

There are different methods and tools to create a threat model, but one of the most widely used is the STRIDE framework, developed by Microsoft. STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. These are the six categories of threats that you need to consider for each component and interaction of your web application. For each threat, you need to assess the likelihood, the severity, and the countermeasures.

添加您的观点

John Boden

Consultant IT Architect | MBCS Accredited Professional
举报内容
Like most frameworks there is not a one size fits all. According to the Software Engineering Institute there are 12 models available. It is better to assess each one in turn and pick the one which best fits your businesses cyber security maturity level (refer back to NIST if you need to measure your maturity level). The twelve models are as follows. 1. STRIDE and Associated Derivations 2. PASTA 3. LINDDUN 4. CVSS 5. Attack Tree 6. Persona non Grata 7. Security Cards 8. hTMM 9. Quantitive TMM 10. Trike 11. VAST Modelling 12. OCTAVE

已翻译

赞

3 How to use a threat model to test web security?

A threat model is not a static document, but rather a dynamic process that you need to update and refine throughout the development lifecycle. Through the use of a threat model, you can test web security in various ways. For instance, you can design security tests based on the identified threats and countermeasures, perform security code reviews and audits to check for vulnerabilities and compliance, conduct penetration testing and ethical hacking to simulate real-world attacks and validate the security controls, as well as monitor and log the web application activity and performance to detect and respond to incidents.

添加您的观点

4 What are the benefits of using a threat model?

Using a threat model can help you improve your web security in several ways, such as reducing the risk of data breaches and cyberattacks, enhancing the quality and reliability of your web application, saving time and money, as well as increasing your awareness and knowledge of web security best practices and standards. This can help protect your reputation, revenue, and users from harm, while preventing errors and bugs before they occur.

添加您的观点

5 What are the challenges of using a threat model?

Creating a threat model can be complex and time-consuming, especially for large and dynamic web applications, and maintaining it can be difficult and costly. Additionally, applying a threat model can be inconsistent and subjective, as different developers and testers may have different perspectives and assumptions. Despite these limitations, using a threat model is still beneficial as it helps to identify potential risks and vulnerabilities in your web application.

添加您的观点

6 Here’s what else to consider

This is a space to share examples, stories, or insights that don’t fit into any of the previous sections. What else would you like to add?

添加您的观点

Application Development

+ 关注

给文章评分

我们借助人工智能创建了此文章。您认为这篇文章怎么样？

很棒不太好

举报此文章

查看全部

What is a threat model, and how can you use it to test web security?

1

2

3

4

5

6

1 What is a threat model?

2 How to create a threat model?

3 How to use a threat model to test web security?

4 What are the benefits of using a threat model?

5 What are the challenges of using a threat model?

6 Here’s what else to consider

Application Development

给文章评分

感谢您的反馈

更多Application Development相关文章

更多相关阅读内容