This presentation discusses the importance of threat Modeling. This presentation also discusses about different ways to perform threat modeling. This threat modeling should be done during the design phase of the application development. The main aim of the threat modeling is to identify the import assets or functionalities of the application and to protect them. Threat Modeling cuts down the cost of application development as it identifies the issues during the design phase. In this presentation we also discuss about basics of Mobile Threat Modeling. This presentation mainly concentrates on STRIDE and DREAD.

1. Threat Modeling
-Sunil

2. Agenda
Introduction to Threat Modeling
Different Ways to perform Threat Modeling
Different Stages of Threat Modeling
Understanding STRIDE & DREAD
Basics of Mobile Threat Modeling
LAB
Conclusion

3. Architectural Risk Analysis

4. Threat Modeling

5. SDL Threat Modeling Tool

6. Where do Threat Modeling Fit?

7. Asset
Definition: “an item of property owned by a
person or company, regarded as having
value and available to meet debts,
commitments, or legacies”

8. What is a threat?

9. Threats
Threats can be of:
• Natural Disasters: Floods, earthquakes etc.
• Service failures: air conditioners, power
• Accidental Threats: Humans
• Technical failures: network issues
• Malicious Human: insider and external attackers

10. What is a Vulnerability?
•Vulnerability is a weakness in the system which will aid the attacker in
successful execution/exploitation of the threat.
Example: Suppose you have a web server with low bandwidth
connection. Where the threat is that your server could be taken
offline, a pothential vulnerability is that you have low
bandwidth and could be a prey for a DoS attack. A paper is
vulnerable to fire.
•Risk: Risk is nothing but threat times vulnerability. That means the
potential loss/damage of an assest as result of a threat exploitation
using vulnerability.

11. Tom & Jerry

12. Threat

13. Vulnerability

14. Security Engineers

15. A Suggestion!
Before starting Threat Modeling warn
development team that “ Do Not Hide
Sensitive information from Doctors, Lawyers
and SECURITY ENGINEERS”

16. Cost of Bug Fixing

17. Threat Modeling
● Structured approach to Analyze the security of the application
● Allows to understand the entry points to the application and their
associated threats.
● Not an approach to review code but helps in code a lot.
● Threat Modeling will be done in design phase of SDLC.
● Threat modeling in SDLC will ensure the security builtin from the very
beginning of the application development.

18. Who can perform & involve a Threat Model
• Developer
• Tester/QA
• Architect
• Security Engineer

19. Threat Modeling High Level Overview
Kick-off
•Have a kick-off and get product overview
•Get the TLDS and PRDS
•Identify the assets
Identify Use
cases
•Draw level-0 diagram & analyze (STRIDE)
•Document the findings
•Have a meeting with dev team to discuss findings
•Identify uses cases for level-1
Level-1
•Draw level-1 diagram & analyze (STRIDE)
•Document the findings
•Have a meeting with dev team to discuss findings
•Repeat the above procedure depending upon the project complexity

20. Threat Modeling High Level Overview
ASF
• Prepare the checklist and send it to the dev team
• Analyze the document
• Document the findings
Report
• Prepare the final report
• Submit it to the product team
• Explain the findings to the product team
• Provide the mitigations to the threats

21. Different Ways to perform Threat Modeling
• Attack Centric
• Software Centric
• Asset Centric
• Worst Case Analysis
• Negation Analysis
• Defensive
• Offensive
• Threat Traceability Matrix

22. Attack Oriented Analysis
This approach requires profiling of an attacker’s characteristics
Attacker Dedication Stealth Time Knowledge Access Rank
Script Kiddie Medium Medium Weeks to
Months
Medium No access 4
External hacker Medium High Days to weeks High No access 3
Inside hacker Medium Medium Days to week Medium Indirect access 2
Organized cyber
criminal
High High Weeks to
months
High Direct 1

23. Software Centric
Spoofing
• Property 
Authentication
• Impersonating
something or
someone else
Tampering
• Integrity
• Modifying
data or code
Repudiation
• Non-
Repudiation
• Claiming to
have not
performed an
action
Information
Disclosure
• Confidentiality
• Exposing info
to
unauthorized
Denial of
Service
• Availability
• Deny or
degrade
service to
users
Elevation of
Privilege
• Authorization
• Gain
capabilities
without proper
authorization

24. Asset Centric
Asset-centric threat modeling involves starting from assests
entrusted to a system, such as a collection of sensitive personal
information.
Two ways to perform Asset-centric analysis
• Worst case scenario analysis
• Negation Analysis

25. Worst case scenario analysis

26. Worst case scenario analysis
Credit card details
exploited
Credit card details
sent over non
secure channel
http communication
to App server
Communication to
database server in
clear text
database
Credit card details
stored in clear text
SQL injection
Input validation not
done
Parameterized
prepared statement
not used

27. Negation Analysis
Example 1: Credit card details should not be exposed
Negation Statement: Credit card details should be exposed
Example 2: Application should be available all the time
Negation statement: Application should not be available all the time.

28. Defense Oriented Analysis
➢ Authentication
➢ Authorization
➢ Cookie Management
➢ Data/Input Validation
➢ Error Handling/Information Leakage
➢ Logging/Auditing
➢ Cryptography
➢ Session Management

29. Defense Oriented Analysis: Example
Some Cryptography Cheatsheet questions:
S.No Defense Mechanism Response Comments
1 Is sensitive data at rest
encrypted?
Yes/No
2 Is the algorithm used to encrypt
data meet the compliance
requirement
Yes/No
3 Is the key size of min 128 bits? Yes/No
4 Are keys properly managed Yes/No
5 Is data in transit over SSL Yes/No

30. Offensive Threat Modeling : 5P’s
Identify
Assets
Decompose
Assets
Asset
Posture
Compromise
Asset
Monitor and
Update
Identify
Objectives

31. Threat Traceability Matrix
Who Where What How Impact Mitigation
Threat
Attack
Surface
Conceptual
Goals

32. Threat Traceability Matrix: Example
Who Where What How Impact Mitigation
External
Attacker
Database Steal credit
card
information
SQL
Injections
Loss of trust
for the
organization
Parameterized
prepared
statement, input
validation

33. Three Stages of Threat Modeling
The threat modeling process can be decomposed into 3
high level steps:
➔ Decompose the Application
➔ Determine and rank threats
➔ Determine countermeasures and mitigation

34. Decompose the Application
 Threat Model Information
 Data Flow Diagrams
 Assets
 External Dependencies
 Entry Points
 Trust Levels

35. Data Flow Diagrams

36. Determine and Rank Threats (STRIDE)
Spoofing
• Property 
Authentication
• Impersonating
something or
someone else
Tampering
• Integrity
• Modifying
data or code
Repudiation
• Non-
Repudiation
• Claiming to
have not
performed an
action
Information
Disclosure
• Confidentiality
• Exposing info
to
unauthorized
Denial of
Service
• Availability
• Deny or
degrade
service to
users
Elevation of
Privilege
• Authorization
• Gain
capabilities
without proper
authorization

37. Trust Levels

38. Microsoft SDL Threat Modeling Tool

39. Sample Problem

40. Student Results Portal
 You need to perform threat analysis on a student portals web
application.
 You have three users Administrator, Teacher and Student.
 The users should login to the application and perform their
respective tasks as follows:
 Administrator is the user who will maintains the application and does not perform
any other actions.
 Teacher can view, enter and modify the student marks
 A Student can give his register number and view the marks
 Perform Threat modeling on the application by making an initial
assumption that non of the security controls exist in the
application.

41. Use Cases
 Entire Architecture
 Administration Use Case
 Authentication Use Case
 Registration Use Case
 Entering Marks Use Case
 Displaying Marks Use Case etc.

42. Sample Use case (Displaying Marks)

43. Analyzing The use case

44. Analyzing The use case

45. Analyzing The use case

46. Analyzing The use case

47. Analyzing The use case

48. STRIDE Matrix
Spoofing Tampering Repudiation Info Disclosure Denial of
Service
Elevation of
Privilege
2.teacher ✓ ✓
3.student ✓ ✓
4.firewall ✓ ✓ ✓ ✓ ✓ ✓
5.App Server ✓ ✓ ✓ ✓ ✓ ✓
6.Http req ✓ ✓ ✓
7. Http req ✓ ✓ ✓
8.response ✓ ✓
9.JDBC req ✓ ✓ ✓
10. respon ✓ ✓ ✓
11.http req ✓ ✓ ✓
12.res ✓ ✓ ✓
13.res ✓ ✓ ✓
14.Database ✓ ✓ ✓

49. Threat Analysis

50. Scoring: DREAD
DREAD is a risk ranking model
D  Damage Potential
R  Reproducibility
E  Exploitability
A  Affected users
D  Discoverability

51. Mitigation
STRIDE Threat & Mitigation Techniques List
Threat Type Mitigation Techniques
Spoofing Identity
1.Appropriate authentication
2.Protect secret data
Tampering with data
1.Appropriate authorization
2.Hashes
3.MACs
4.Digital signatures
5.Tamper resistant protocols
Repudiation
1.Digital signatures
2.Timestamps
3.Audit trails
Information Disclosure
1.Authorization
2.Privacy-enhanced protocols
3.Encryption
4.Protect secrets
5.Don't store secrets
Denial of Service
1.Appropriate authentication
2.Appropriate authorization
3.Filtering
4.Throttling
5.Quality of service
Elevation of privilege 1.Run with least privilege

52. Threat Modeling in Agile Development

53. Threat Modeling in Agile Development
In different project stage in Agile Development you need to perform
different actions:
• Project Inception
• Requirements Planning
• Sprint Planning
• Sprint
• Final Release Planning

54. Mobile Threat Modeling

55. Mobile Threat Model
•Improper session
handling
•Social Engineering
•Malicious QR Codes
•Untrusted NFC Tag or
peers
•Malicious application
•Weak Authorization
Spoofing
• Modifying local
data
• Carrier Network
Breach
• Insecure Wi-Fi
Network
Tampering
• Missing Device
• Toll Fraud
• Malware
• Client Side
Injection
Repudiation
• Malware
• Lost Device
• Reverse
Engineering
• Backend Breach
Information
Disclosure
•Crashing Apps
•Push Notification
Flooding
•Excessive API usage
•DDoS
Denial of
Service
• Sandbox escape
• Flawed Authentication
• Weak Authorization
• Compromised credentials
•Make Unauthorized
purchases
•Push Apps Remotely
• Compromised Device
•Rooted/JailBroken
•RootKitsElevation of
Privilege

56. LAB
• Assume a shopping application which has minimum
web server, application server, database, LDAP,
payment service.
• Create High Level architecture diagram(Level-0)
• Identify use cases for the application
• Perform STRIDE on couple of use cases(Level-1) using
Microsoft threat modeling tool.

57. Conclusion
Implement Threat Modeling in SDLC
Cuts down the cost
Makes analysis simple
Mix and Match different types of Threat
Models

58. Credits
https://thenounproject.com/
https://www.owasp.org/index.php/Application_Threat_Modeling
http://www.cartoonstock.com/directory/s/solider.asp
http://www.thebadchemicals.com/?p=17
http://en.wikipedia.org/wiki/Threat_model
http://resources.infosecinstitute.com/intro-secure-software-development-life-cycle/
https://technet.microsoft.com/en-us/security/hh855044.aspx
http://arthurminduca.com/2014/03/07/quality-assurance-in-software-development-when-should-you-start-the-testing-process/
http://en.wikipedia.org/wiki/Bingham_Canyon_Mine
http://www.curbsideclassic.com
http://www.businessinsider.com.au/
https://animationreview.files.wordpress.com/
http://securitywatch.pcmag.com
Microsoft SDL Threat Modeling Tool

59. Social Media
@anvsunil https://in.linkedin.com/in/anvsunil

60. THANK YOU