Guide to Threat Modelling for Web-Apps

icon Posted by: Hasan Sameer
icon October 4, 2022

In Brief:

What is Threat Modelling?

Threat modeling is a systematic way of identifying and evaluating application threats and vulnerabilities. When it comes to web applications, threat modeling refers to an organized approach to identifying security design problems early in the application design process. This approach helps you to devise mechanisms for the early mitigation of security issues before they cause any catastrophe. You can initiate threat modeling for web applications at any stage of development. More or less, the method of executing the process depends on your needs and capabilities.

19.87%

of web applications used in the manufacturing industry host a malicious URL.

32%

of malware is distributed through web applications.

47%

of web applications lack physical security in the workspace.

72%

of organizations are concerned about man-in-the-middle attacks on their web applications.

Significance of Threat Modelling for Web-Apps

Web applications are reliant on interactions with other sources, systems, and databases for their proper functioning. This increases the overall surface of the application. Eventually, the risk of cyber attacks on the application increases. Threat modeling can describe the specific threats that an application is susceptible to. You may consider threat modeling as an extension of the risk assessment process. It enables you to identify and categorize security risks ranging from unauthorized system access to insecure physical data storage.

A threat model features underlying risk factors, identified threat actors, potential attack vectors, and the business impact of all these things. Along with identifying the problems, it also provides you with remedies. However, methods like Web Application Pentesting also help with identifying and eliminating potential security risks. But threat modeling offers a more systematic and question-driven approach for the same purpose.

Steps for Web Application Threat Modelling

There are five key steps in threat modeling for web applications. The model gets more and more detailed as the development cycle progresses. Let us go through the steps one by one:

1. Identify Security Objectives

There are three main aspects of identifying the security objectives within your application:

  • Confidentiality: preventing unauthorized information disclosure.
  • Integrity: protection against unauthorized information changes.
  • Availability: offering essential services even under attack.

Security objectives are covered under the umbrella of the project objectives. You can use it to support your cause of action in threat modeling. After identifying the main security objectives, it becomes easier to divert your focus to the important things. Preventing crucial customer data such as passwords and profile information is a key point in the list of security objectives. Additionally, it includes protecting the company’s online credibility.

2. Creating Application Overview

This step is about creating an outline of what the application can do. Here, your task is to determine and depict the key functionality and characteristics of the application that you are offering to your clients. This makes the process of identifying the relevant threats a bit easier. Like modern application development, threat modeling is also an iterative process. Accumulate as much detail as possible and then add more details later when there are any changes or additions in the design.

Chronology of application overview process:

  • Draw end-to-end deployment
  • Identify the roles of each team member
  • Identify the potential circumstances for usage
  • Identify the technologies used in the application design
  • Analyze the security mechanisms

3. Decompose Your Application

This step involves breaking down the application to identify the key points such as boundaries, data flows, entry points, and exit points. The purpose of this step is to understand the mechanics of the application. It eventually helps to discover vulnerabilities and potential threat vectors.

The steps involved in Application Decomposition are:

  • Identifying trust boundaries.
  • Identifying data flows.
  • Identifying entry points.
  • Identifying exit points.

4. Decompose Your Application

This step involves breaking down the application to identify the key points such as boundaries, data flows, entry points, and exit points. The purpose of this step is to understand the mechanics of the application. It eventually helps to discover vulnerabilities and potential threat vectors.

The steps involved in Application Decomposition are:

  • Identifying trust boundaries.
  • Identifying data flows.
  • Identifying entry points.
  • Identifying exit points.

5. Identify Threats

This stage involves threat identification and determining the potential attacks on the application that might compromise the security infrastructure of the application. The development and security teams sit together for a brainstorming session to figure out the potential security issues that might affect the application’s functions. There are two possible approaches that you can use for carrying out this process. First is identifying the common threats and attacks. Here we list the common security threats based on the application vulnerabilities. Then we apply the same list to the application architecture and see the response. The second is a question-driven approach. We use a STRIDE model that includes spoofing, tampering, repudiation, information disclosure, and denial of service. We apply all the methods to the application architecture and see what stimuli our application is sensitive to.

Before You Go!

  • Cyber Security Solutions such as Web Application Pentesting make the security posture of your web applications formidable.
  • Through this blog, you also got to know the significance of threat modeling for web apps and how to perform it.
  • Make sure you take the advice of a cybersecurity expert before executing such a process. You can get in touch with RSK Cyber Security for any help related to this matter.

Tags

Let's talk about your project

Banner Banner

Get Secured Today

Request an audit

Locate Us

Headquarter Anerley Court, Half Moon Lane, Hidenborough, Kent, TN11 9HU,
UK.
Contact: +44(0) 1732 833111
UAE Concord Tower, 6th Floor, Dubai Media City, 126732
Dubai, UAE.
Contact: +971 (0) 4 454 9844
USA 103 Carnegie Center Blvd. Ste. 300 Princeton, NJ 08540,
USA.
Contact: +1(732) 333 8853
India Plot No.14, 5th Floor, Sector-18, Gurugram -122015 Haryana,
India.
Contact: +91(0) 124 4201376
+44 789 707 2660

We'd Love to Hear From You