Professional Documents
Culture Documents
Threat Modeling (TM) is the process of building and testing a modeled environment against modern threats,
helping to gain a comprehensive understanding of one’s attack surface and to build a solid defense strategy. The
complexity of modern threat behavior makes accurately mapping data flows and dependencies an exhaustive
process, requiring countless meetings with developers and architects. It is the process of systematically identifying,
describing and documenting the threats that are most likely to affect a system.
Often, manual processes fail to uncover all of an application’s behavior, especially with 3-tier applications like web
portals and business apps. These discrepancies can lead to massive holes in one’s east-west security system,
leaving critical paths to user data and exfiltration open for potential exploitation.
Many organizations are moving toward agile development and are also looking to implement DevSecOps in their
environments, so it makes lot of sense to perform threat modeling on applications to remove threats earlier in the
Software Development Lifecycle (SDLC). Benefits of TM are summarized in the chart below:
Identifying what needs to be analyzed is an important first step in the process of threat modeling. We need to
identify usage scenarios, internal and external dependencies, entry and exit points, roles and access points along
with security controls that need to be verified. We also need to gather data by interviewing multiple stakeholders.
Here is a sample list of the controls that your organization should capture for TM:
Assets
A1 Contributor’s unique vulnerabilities for any Vendor application
A2 Contributor’s registration details (Name, E-Mail Address, Bank Account details, etc.)
C4 Database security controls (DB Connections, passwords, Encryption keys that are encrypted by
using the SHA256 algorithm)
Once there is a clear understanding of application design and Data Flow Diagrams (DFDs) are created, the
application can be decomposed into smaller modules. Once the modules are defined, a Data Flow Diagram is
created for each module (as shown in the figure below).
The Data Flow Diagram comprises all of the components (like Log servers, databases, e-mail servers, etc.) that are
present in the architectural diagram of the application.
Document Threats: After identifying the assets and existing security controls, we identify the missing security
controls and risk rank each threat. We can use tools like Threat Modeler (or other similar solutions) that will help
us to visualize the threats.
Rank Threats: DREAD is a classification scheme to determine and compare the amount of risk introduced by each
evaluated threat. Classification of the threats by using DREAD permits us to rank potential threats.
Reporting : The list of identified threats is classified according to STRIDE (Spoofing, Tampering, Repudiation,
Information Disclosure, Denial of Service and Elevation of Privilege) and a number of vulnerabilities with priorities
are highlighted and can be presented to the Dev team for mitigation.
In particular, CISOs, Cloud and AppSec architects will find this white paper beneficial, because we explain how
automated threat modeling can be used as part of the equation to drive security and compliance in your Cloud
journey. New technologies are emerging in Threat Modeling which help to provide inside-out application visibility
by automating processes. They provide deep visibility for threat models to give gap-free coverage with minimal or
no involvement of human interference, saving enterprises like yours time and money while helping to minimize
cybersecurity risk.
There are new tools in the market which help organizations to create threat models on the fly that are integrated
into their DevOps environments. The tools automate key activities in the Threat Modeling process to reduce
overall risk, without the time and expense that are required for manual processes.
By automating Threat Modeling, you can automatically discover, visualize and threat model across your entire
application stack (in the Web, Application and Database application tiers) that are running on bare-metal, virtual,
containerized or micro-services platforms. You can reduce threat modeling to a couple of hours instead of months,
which will save you time and resources. You can also save time and money by removing developers and designers
from the Threat Modeling process.
HCL works with multiple vendors in the automated threat modeling space to provide the best solutions to our
customers.
HCL provides a wide range of end-to-end application security services to our customers that originate from our
cybersecurity division. The service offerings are recapped below:
HCL’s solutions combine market-leading technology with the deep expertise of our security professionals. HCL’s
cybersecurity horizontal specializes in security services areas that cover vast areas of expertise and are powered by
HCL’s software solutions such as HCL AppScan. We will support your digital transformation, giving you the
reassurance you need to embrace new ways of working.
Contact Us
CyberSecurity-GRC@hcl.com
Ramesh BV has more than 15 years of experience working in the IT industry, wearing multiple hats as a developer,
tester, Security consultant and solutions architect, performing sales and pre-sales roles in product and service
companies. In his present role at HCL, he works as a Product Manager in the cybersecurity division and is
responsible for setting up managed services platforms for HCL’s application security solutions.
In his previous roles at HPE and IBM, he helped to build architecture for Security Operations Centers (SOCs) for
many customers and helped to set up application security Centers of Excellence (COEs) for global IT service
providers and partners.
Way Forward
Expected Value To Customers
Customer hyper-care – Nurture and strengthen existing customer relationships. Engage in closer, meaningful discussions on product direction. Customer-centric roadmaps – Apart from
addressing key customer requirements, HCL is also investing in product modernization and TCO reduction for customers.