Professional Documents
Culture Documents
THREAT MODELING
Threat Modeling Overview
Experience shows Threat modeling is a structured activity for identifying and evaluating software
that nearly 50% of application threats and vulnerabilities. It remains one of the most impactful but
security flaws will be under-utilized risk mitigation techniques. Effective threat modeling ensures that
limited resources are spent addressing the most critical threats, whether it’s
discovered from
conducting deeper scrutiny in certain areas or expanding mitigating controls.
Threat Modeling
because it finds This guide will provide the necessary high‐level knowledge needed to quickly
different threats than create a basic threat model for your software application scenario that can be used
those found through to help refine your application’s design throughout all stages of development, and
other assessment serve as a central reference among teams. This approach leads to the goal of
identifying and addressing vulnerabilities.
techniques.
The security objectives, threats, and attacks that you identify in the early stages of
Michael Howard the process are designed to help you later find vulnerabilities in your application to
Sr. Security Architect
help shape your design, drive development, and refine your security testing.
Microsoft
2
Preparing to Threat Model
The primary objective of threat modeling is to improve security design. This can be
done by scoping the model, using existing documents, using an iterative approach,
adapting, and having the information you need.
Existing Iterative
Scope the model Adapt Information
documentation approach
Existing documentation
Use any existing design documents such as use cases or user stories, data flow
diagrams, architecture diagrams, and other design documentation. A helpful tip is
to start with a whiteboard. It can be easier to get started by modeling on a
whiteboard before you start capturing information in documents or getting lost in
the details.
3
Preparing to Threat Model
Iterative approach
A threat model is not a static asset. Add more detail and evolve your threat model
as you continue to design and develop. Use ongoing modeling to reduce risk and to
inform your design decisions. For example, early in the design process, you may
have only basic use cases, an initial deployment topology, and an idea of how you
will layer your application. By using an iterative approach, you both become more
familiar with the modeling process and can evolve your threat model to examine
“what if” scenarios as more information becomes available to you.
You might choose to adopt a more formal approach and identify milestones for
revisiting your model. What is most important is that you revisit the model when
you need to make an engineering decision, as you introduce new levels of risk, and
when you contemplate significant design choices.
Adapt
Adapt the activity for your situation. If you have existing applications, you can use
the threat and vulnerability identification approaches in Steps 4 and 5. With this
information, you can determine where to focus your efforts.
Information
To be able to draw and understand your end-to-end deployment scenario, you need
to have information about the host configuration, firewall policies, allowed
protocols and ports, and so on. Obtain this information, and other information
about host and network constraints, by talking to your system and network
administrators.
4
The Threat Modeling
Process
1. Identify Security Objectives – This helps you focus the threat modeling activity
and determine how much effort to spend on subsequent steps.
5
The Threat Modeling Process
As you move through your application development lifecycle and discover more
details about your application, you will progressively add more detail to your threat
model. Continually repeat this process as necessary as you gain more
understanding of your application and its weaknesses.
Tip: Try not to get stuck on the steps or implementation; instead, focus on the
overall approach. If you get blocked on any of the early steps, start to identify
threats (step 4).
identifying your key security objectives, you can determine where to focus your
ial
In
nt
efforts.
te
e
g
fid
rit
Identifying your objectives also helps you to understand the goals of potential
n
y
Co
attackers and concentrate on those areas of your application that require closer
Availability
attention. If, for example, you identify customer account details as sensitive data
that needs protecting, you can then examine how securely the data is stored and
how access to the data is controlled and audited
Assures that data can only be Guarantees that data is in its Ensures users are always able to
accessed by those with proper original state, free from access a system, e.g.:
authorization, e.g.: corruption or modification, e.g.:
• Adequate server uptime
• Sufficient encryption for data • Verification checksums and when under attack
in transit and at rest verification hashes
• Adequate backups to recover
• Strong authentication • Digital signatures from server failures or
compromise
• Proper permissions and other • Encrypted data transports
authorization controls such as TLS • Sufficient bandwidth and
proper firewalls to withstand
DoS attacks
6
The Threat Modeling Process
• What to Protect – Does your application use user accounts and passwords,
customer account details including personalization information, financial history
and transaction records, customer credit card numbers, bank details, or travel
itineraries?
After asking yourself these questions, security objectives become more clear.
Some common security objectives include:
• Prevent attackers from obtaining sensitive user data like passwords and profile
information
• Identify key usage scenarios – Describe what your application does. Focus on
the Create, Read, Update, and Delete functionality.
7
The Threat Modeling Process
Using a whiteboard or paper, draw a rough diagram that describes the composition
and structure of your application, its subsystems, and its deployment
characteristics.
Next, add logical layers. Show where the presentation layer, business layer, and data
access layers reside.
Refine the diagram to include physical server boundaries when you know them.
Add key components and services within each logical layer. Refine the diagram to
include actual process and component boundaries when that information
becomes available. Include communication ports and protocols; show which
servers, components, and services communicate with each other and which
protocols they use.
Finally, show the main identities and roles used for the application and any relevant
service accounts if you have this information. Be sure to include authentication
protocols and account storage locations.
After you’ve sketched out the deployment scenario, it’s important to identify your
application’s roles, duties, and functions. For example:
• Who can perform sensitive functions like read, update data, or delete data?
Use role identification to determine both what is supposed to happen and what is
not supposed to happen. Like the other steps, this activity will be a continual
documenting process that gets more detailed with each iteration.
With user roles in place, next map out the key usage scenarios for your application.
What are the important features of your application? What does it do?
Utilize your application’s use cases, if available, to derive this information. Identify
the application’s main functionality and usage, with a primary focus on the Create,
Read, Update, and Delete functionality.
8
The Threat Modeling Process
In these cases, you can look at the possibilities of the business rules being misused.
For example, consider a user trying to modify personal details of another user. You
often need to consider several use cases happening simultaneously to perform a
complete analysis.
Also identify which scenarios are out of scope and use your key scenarios to
constrain the discussion. For example, you might decide that operational practices,
such as backup and restore, are out of scope for the initial threat modeling exercise.
Identify Technologies
Where possible, list the technologies and key features of the software and platforms
that you use. Also identify the following:
• Operating systems
• Application frameworks
• Development languages
Finally, identify any key information that you know about your application’s security
mechanisms, including:
These details are important because they will be key starting points when
identifying threats later in the process
Tip: Threat modeling is an iterative process, so you don’t need to have a complete
application overview before identifying threats. For example, if you are in the
middle of your design and have not yet tackled physical deployment, you can still
perform this step, and add more detail on deployment when available
9
The Threat Modeling Process
Identify your application’s trust boundaries to help focus your analysis on areas of
concern. Trust boundaries indicate where trust levels change. You can think of trust
from the perspective of confidentiality and integrity. For example, a change in
access control levels in your application where a specific role or privilege level is
required to access a resource or operation would be a change in trust level.
Another example would be at an entry point in your application where you might
not fully trust the data passed to the entry point.
• Start by defining your outer application boundaries. For example, your web
servers might connect to shared file resources as well as application and
database servers. This core cluster of services defines your application boundary.
• Next, identify access control points or the key places where access requires
additional privileges or role membership. For example, a specific page might
be restricted to managers. The page might require authenticated access and
require membership in the administrators’ group.
• Finally, identify trust boundaries from a data flow perspective. For each
subsystem, consider whether you trust the upstream data flow or use case, and if
not, consider how the data flow and input might be validated, authenticated, and
authorized.
Knowing which entry points exist between trust boundaries allows you to focus
your threat identification on these key entry points. For example, you are likely to
have to perform more validation on data passed through an entry point at a trust
boundary. Some examples of trust boundaries include:
• Perimeter firewall – The firewall is likely to be the first trust boundary. It moves
qualified information from the untrusted Internet to your trusted data center.
• The boundary between a web server and database server – Your database may
or may not be included in your application’s trust boundary. Often the web
10
The Threat Modeling Process
servers act as a second firewall to the databases. This practice significantly limits
network access to the databases and thereby reduces the attack surface,
although you will also need to consider the network topology within your data
center.
• Entry points into components which handle privileged data – In the case of a
business component that handles privileged data, you need an access check to
ensure that only the appropriate callers are allowed access; that is, data should be
available (exposed) to only particular users.
To identify data flows, trace your software application’s data as it moves through the
various subsystems, starting with user input. This activity helps you gain a better
understanding of the interaction between each of your application’s components.
A good approach is to start at the highest level and then deconstruct the
application by analyzing the data flow between individual subsystems. For example,
start by analyzing the data flow between your web application, your middle-tier
servers, and your database server.
The entry points of your application also serve as entry points for attacks and can
include the front-end web application listening for HTTP requests. This entry point
is intended to be exposed to clients. Other entry points, such as internal entry
points exposed by subcomponents across the layers of your application, may exist
only to support internal communication with other components. However, you
should know where these are and what types of input they receive in case an
attacker manages to bypass the front door of the application and directly attack an
internal entry point.
Consider the trust levels and features required to access each entry point. Early in
the threat modeling activity, focus your attention on entry points that expose
privileged functionality, such as administration interfaces. Identify the points where
your application sends data to the client or to external systems.
Prioritize the exit points where your application writes data that includes client
input or includes data from untrusted sources such as shared databases.
Tip: You are likely to have to perform more validation on data passed through an
entry point at a trust boundary.
11
The Threat Modeling Process
4 Identify Threats
In this step, you identify threats and classes of attacks that might lead to
compromise or otherwise affect your application’s security. To conduct this
identification process, bring members of the development and test teams together
to conduct an informed brainstorming session. Ideally, the team consists of
application architects, security professionals, developers, testers, and system
administrators.
Identify
threats
Threats Along
Use Cases
Identify threats based on what you have learned so far in defining your security
objectives and identifying the application’s trust boundaries.
• Identify Threats
• Common Threats
Two common approaches to brainstorm threats are either to start with common
threats and attacks, or to use a question-driven approach.
If using the common threats and attacks approach, make a list of common threats
grouped by application vulnerability categories. For example, you might create a
server list and a user’s list. Under server you may have path traversal, denial of
service, SQL injection, and XSS. Under users, you may list malware, brute force, and
spam.
Next, using the information gathered in the previous steps, determine how each
threat applies to your own application. The determination will enable you to
eliminate some threats from the list, as well as to refine those threats that apply to
your application.
12
The Threat Modeling Process
For example, could an attacker spoof an identity to access your server or web
application? Could someone tamper with data over the network or in a data store?
Is sensitive information disclosed when you report an error message or log an
event?
While identifying threats, examine the application tier by tier, layer by layer, and
feature by feature. By focusing on vulnerability categories, you can target those
areas most susceptible to vulnerabilities. Nevertheless, keep in mind that the
threats identified at this stage do not necessarily indicate vulnerabilities. The
objective here is to identify potential threats and the actions that an attacker might
try to use to exploit the application.
While each software application will carry unique threats, there are common ones
that should always be considered. Is the server vulnerable to identity spoofing? Is
the data vulnerable to tampering? Is the Sensitive information in error messages?
Server Users
Now that you have a list of common threats, look for threats that might be unique
to your application.
Examine each of the application’s use cases identified earlier, identifying ways in
which others might maliciously or unintentionally cause the application to perform
an unauthorized operation or disclose sensitive or private data.
As you go through this process, approach the application as an attacker might do.
Examples of the types of questions you should ask include the following:
• How could an attacker obtain sensitive data as it is passed over the network?
13
The Threat Modeling Process
Next, review the key use cases and scenarios, and analyze the data flows between
individual components in your architecture. Data flow across trust boundaries is
particularly important. A piece of code should assume that any data from outside
the code’s trust boundary is malicious. The code should perform thorough
validation of the data.
When identifying threats associated with data flows, ask the following questions:
• How does data flow from the front end to the back end of your application?
Which components call which components?
• What does valid data look like? How is the data constrained? How is data
validated against expected length, range, format, and type? Where is validation
performed?
• What sensitive data is passed between components and across networks, and
how is that data secured while in transit?
5 Identify Vulnerabilities
The final step in threat modeling is to look at all the potential threats you’ve
gathered and determine which of those affect your application. Previously, you
looked at the hypothetical threats, and now you must determine which specific
vulnerabilities you must address.
The best way to identify vulnerabilities is to examine your application layer by layer,
considering each of the vulnerability categories in each layer. To make sure you
cover the full range of vulnerabilities, it’s best to utilize an existing model or
checklist. Some of the best examples are STRIDE, ATT&CK, and CAPEC.
Depending on the level of detail required, any of these resources can benefit the
last stage of threat modeling and help you uncover your application’s
vulnerabilities.
14
Document and Report
Capture your threat model in a document, and keep it as lightweight and simple as
possible. Avoid over-formatting so that you can easily update it, but be sure to
include:
• Security objectives
• Key scenarios
• Protected resources
• Threat list
• Vulnerability list
Use the vulnerabilities to help shape your security design and implementation. For
example, developers should notice anti-patterns related to the identified
vulnerabilities and use appropriate patterns to address the issues. You can also use
the vulnerabilities to plan and scope your system testing. For example, testers
should test against the vulnerabilities to verify that the development team fixed or
addressed all known vulnerabilities.
Lastly, track and prioritize vulnerabilities in your work item tracking system. And
don’t forget to communicate the information you capture to relevant team
members, which may include your application development team, your test team,
and your network and system administrators.
15
Summary
Hopefully this guide provides useful information on getting started with Threat
Modeling. Once foundational knowledge is built, you can start to incorporate more
advanced technqiues such as building attack and threat trees. There are many
resources for that including Microsoft Threat Modeling.
16