By Ann Grove, Logical's President
Although some developers see threat modeling as a low-value, high-effort exercise, the process provides a helpful, holistic view to find, identify, and evaluate risks that wouldn't otherwise be recognized.
That was the contention of John Misczak (@johnmisczak) at an OWASP Philly (@phillyowasp) event Friday. Misczak is a senior consultant at Security Risk Advisors, a security and compliance services and products company. The day's theme was web application security in agile environments. (See the next blog post to learn about better integrating the security team into the development team.)
Misczak said that a good threat model picks up problems that are not identified by other security assessments such as penetration tests (pen tests).
Let's look at the top five of the Misczak Top 10 areas that a threat model should address:
I have helped prepare threat model reports for a security consultancy client and the results were presented much like the results of a pen test with a list of findings (security weaknesses), and, for each finding, the assets impacted, a risk rating, a description of the problem, and recommendations. Therefore, I asked Misczak if organizations track and resolve threat model findings using the same methods applied for pen test findings. Misczak said many organizations do not track pen test findings to closure, and so should use a different approach to ensure that all threat model findings are fully addressed.
For those interested in threat modeling, Misczak recommended checking out a new, open-source OWASP threat modeling tool, Threat Dragon. Available for Windows, Mac, Linux (soon), or via web app, the tool includes system diagramming and a powerful rule engine to auto-generate threats/mitigations.
About the Author
Ann Grove, president of Logical, is a chapter leader for OWASP's Baltimore Chapter.