Maximize Your

Defense Strategy with

Application Threat
Modeling
Application Threat Modeling

Threat Modeling (TM) is the process of building and testing a modeled environment against modern threats,
helping to gain a comprehensive understanding of one’s attack surface and to build a solid defense strategy. The
complexity of modern threat behavior makes accurately mapping data flows and dependencies an exhaustive
process, requiring countless meetings with developers and architects. It is the process of systematically identifying,
describing and documenting the threats that are most likely to affect a system.

Often, manual processes fail to uncover all of an application’s behavior, especially with 3-tier applications like web
portals and business apps. These discrepancies can lead to massive holes in one’s east-west security system,
leaving critical paths to user data and exfiltration open for potential exploitation.

Many organizations are moving toward agile development and are also looking to implement DevSecOps in their
environments, so it makes lot of sense to perform threat modeling on applications to remove threats earlier in the
Software Development Lifecycle (SDLC). Benefits of TM are summarized in the chart below:

Threat Modeling Process

The process involves identifying security requirements earlier in the SDLC, so that by using threat modeling tools
such as STRIDE/DREAD, CVSS, OCTAVE (and others), we can identify threats in the system. Once identified, proper
mitigation strategies can also be defined that will help in developing robust applications. As shown below, threat
modeling comprises a number of important activities that need to be followed:
 Identify your assets and applications that need protection

Identify usage scenarios and assumptions in the applications

Identify internal and external dependencies, entry and exit

points, trust levels, roles and access matrices

Identify threats, using methods like STRIDE/DREAD,CVSS

and build threat modules

Build threat trees, prioritize and document threats for

mitigation

Identify Security Controls and Threat Scoring

Identifying what needs to be analyzed is an important first step in the process of threat modeling. We need to
identify usage scenarios, internal and external dependencies, entry and exit points, roles and access points along
with security controls that need to be verified. We also need to gather data by interviewing multiple stakeholders.
Here is a sample list of the controls that your organization should capture for TM:

Assets
A1 Contributor’s unique vulnerabilities for any Vendor application

A2 Contributor’s registration details (Name, E-Mail Address, Bank Account details, etc.)

A3 Status of each contributor's vulnerability

A4 Credit information stored on log servers (Transaction logs)

A5 User’s credentials (for Admins & Contributors)

A6 User’s Session IDs
A7 Key events stored in Log files
 Security Controls
C1 TLS (Transport Layer Security) 1.2
C2 Application Security Controls (Authorization checks, server-side input validation)

C3 AAA WebService validation (for Admin Authentication, Authorization and Accountability)

C4 Database security controls (DB Connections, passwords, Encryption keys that are encrypted by
using the SHA256 algorithm)

Creating Threat Modules

Once there is a clear understanding of application design and Data Flow Diagrams (DFDs) are created, the
application can be decomposed into smaller modules. Once the modules are defined, a Data Flow Diagram is
created for each module (as shown in the figure below).

The Data Flow Diagram comprises all of the components (like Log servers, databases, e-mail servers, etc.) that are
present in the architectural diagram of the application.

Document Threats: After identifying the assets and existing security controls, we identify the missing security
controls and risk rank each threat. We can use tools like Threat Modeler (or other similar solutions) that will help
us to visualize the threats.
Rank Threats: DREAD is a classification scheme to determine and compare the amount of risk introduced by each
evaluated threat. Classification of the threats by using DREAD permits us to rank potential threats.

Reporting : The list of identified threats is classified according to STRIDE (Spoofing, Tampering, Repudiation,
Information Disclosure, Denial of Service and Elevation of Privilege) and a number of vulnerabilities with priorities
are highlighted and can be presented to the Dev team for mitigation.

What’s New in Threat Modeling

Most organizations have made at least a partial move to the Cloud or have plans to eventually migrate. With all of
Cloud’s inherent benefits – from cost savings, to optimization and scalability on demand – it is often too valuable
to pass up. However, there are plenty of risks that you need to consider.

In particular, CISOs, Cloud and AppSec architects will find this white paper beneficial, because we explain how
automated threat modeling can be used as part of the equation to drive security and compliance in your Cloud
journey. New technologies are emerging in Threat Modeling which help to provide inside-out application visibility
by automating processes. They provide deep visibility for threat models to give gap-free coverage with minimal or
no involvement of human interference, saving enterprises like yours time and money while helping to minimize
cybersecurity risk.

There are new tools in the market which help organizations to create threat models on the fly that are integrated
into their DevOps environments. The tools automate key activities in the Threat Modeling process to reduce
overall risk, without the time and expense that are required for manual processes.

How Threat Modeling Saves Time and Improves Productivity

Automated Threat Modeling during DevSecOps:

By automating Threat Modeling, you can automatically discover, visualize and threat model across your entire
application stack (in the Web, Application and Database application tiers) that are running on bare-metal, virtual,
containerized or micro-services platforms. You can reduce threat modeling to a couple of hours instead of months,
which will save you time and resources. You can also save time and money by removing developers and designers
from the Threat Modeling process.

Major benefits of Automated Threat Modeling include:

• Full automation of application threat modeling at any scale and any level of complexity, which results in
faster time to market.
• Real-time and continuous modeling of applications across multiple releases and across the overall
lifecycle, which improves efficiency.
• The ability to model large portfolios of applications in minutes (compared to weeks or months), which
gives you scalability across your enterprise.
• Cost savings, by helping you to shift left and mitigate threats earlier in the SDLC, where vulnerabilities are
less costly to remediate than in later stages of the development process.

HCL works with multiple vendors in the automated threat modeling space to provide the best solutions to our
customers.

HCL Cybersecurity Services for Threat Modeling

HCL provides a wide range of end-to-end application security services to our customers that originate from our
cybersecurity division. The service offerings are recapped below:

• Threat Modeling as a service (manual and automated)

• Managed Security Services for application security (automated and manual scanning)
• API security and mobile security
• Cloud application security
• Penetration Testing
• Runtime application protection

HCL’s solutions combine market-leading technology with the deep expertise of our security professionals. HCL’s
cybersecurity horizontal specializes in security services areas that cover vast areas of expertise and are powered by
HCL’s software solutions such as HCL AppScan. We will support your digital transformation, giving you the
reassurance you need to embrace new ways of working.
 Contact Us

Contact the HCL cybersecurity team for more details:

CyberSecurity-GRC@hcl.com

About the Author

Ramesh BV has more than 15 years of experience working in the IT industry, wearing multiple hats as a developer,
tester, Security consultant and solutions architect, performing sales and pre-sales roles in product and service
companies. In his present role at HCL, he works as a Product Manager in the cybersecurity division and is
responsible for setting up managed services platforms for HCL’s application security solutions.

In his previous roles at HPE and IBM, he helped to build architecture for Security Operations Centers (SOCs) for
many customers and helped to set up application security Centers of Excellence (COEs) for global IT service
providers and partners.

Way Forward
Expected Value To Customers
Customer hyper-care – Nurture and strengthen existing customer relationships. Engage in closer, meaningful discussions on product direction. Customer-centric roadmaps – Apart from
addressing key customer requirements, HCL is also investing in product modernization and TCO reduction for customers.

Expected Value To Partners

HCL Software has a robust Partner ecosystem to design, deliver and support our offerings. Whether you are a developer, consultant or partner, Partner Connect will provide you with
insight on how you can build value in your go to market with HCL Software. Partner Connect - One-stop-shop for software-based offerings to enable growth and scale:
https://www.hcltechsw.com/wps/portal/resources/partner-connect/

Resell and Build With Us | Provide Services around our Products.

Please reach out to Geo Partner heads for more information. You can find your geo head at:
https://www.hcltechsw.com/wps/portal/resources/partner-connect/partner-resources/partner-team

For more information about our product portfolio, visit us at www.hcltechsw.com

About HCL Software

HCL Software is a division of HCL Technologies (HCL) that operates its primary software business. It develops, markets, sells, and supports over 20
product families in the areas of DevOps, Automation, Digital Solutions, Data Management, and Mainframes. HCL Software has offices and labs around the
world to serve thousands of customers. Its mission is to drive ultimate customer success with their IT investments through relentless innovation of its
products. For more information, please visit www.hcltechsw.com.