Scribd Logo
Hochladen

Willkommen bei Scribd!

  • 3 Approaches To Threat Modeling

    Hochgeladen von

    Oda San
    44 Ansichten3 Seiten
    3 Approaches to Threat Modeling

    Originaltitel

    3 Approaches to Threat Modeling

    Copyright

    © © All Rights Reserved

    Verfügbare Formate

    PDF, TXT oder online auf Scribd lesen

    Stufen Sie dieses Dokument als nützlich ein?

    Sind diese Inhalte unangemessen?

    Dieses Dokument melden
    3 Approaches to Threat Modeling

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    44 Ansichten3 Seiten

    3 Approaches To Threat Modeling

    Hochgeladen von

    Oda San
    3 Approaches to Threat Modeling

    Copyright:

    © All Rights Reserved
    Als PDF, TXT herunterladen oder online auf Scribd lesen
    Markieren Sie unangemessene Inhalte
    von 3

    24/04/2015

    3ApproachestoThreatModeling

    HOME

    THREATMODELER

    FAQ

    BLOG

    TRAINING&SERVICES

    ABOUTUS

    Search

    ThreatModelerFAQ
    ThreatModelerPlanComparison
    ThreatModelerStakeholderBenefits
    DownloadDatasheet
    ScheduleDemo

    28
    May

    2012

    3ApproachestoThreatModeling
    onMAY28,2012ByMYAPPSECURITYInTHREATMODELING

    GettingStartedwithThreatModeler

    LEAVEACOMMENT

    ThreatModelingcanbeviewedintwodifferent,butrelatedcontexts.Oneistheimplementationofsecurity
    controlsbyarchitectsthatmaptosecurityrequirementsandpolicyandtheotheristoreflectallpossibleknown
    attackstocomponentsorassetsinathreatmodel,withthegoalofimplementingcountermeasuresagainst
    thosethreats.

    Blog
    July2014

    June2014
    Thethreegeneralapproachestothreatmodelingare:
    Softwarecentric
    Assetcentric
    Attackercentric
    TheFigurebelowillustratesthecomponentsthatprovidethebasisfordifferentapproachestothreatmodeling:

    May2014
    March2014
    August2013
    June2013
    October2012
    August2012
    June2012
    May2012

    Belowisabriefdescriptionofeachofthedifferentapproaches:

    SoftwareCentricThreatModeling:
    Thisapproachinvolvesthedesignofthesystemandcanbeillustratedusingsoftwarearchitecturediagrams

    http://myappsecurity.com/approachestothreatmodeling/

    1/3

    24/04/2015

    3ApproachestoThreatModeling

    suchasdataflowdiagrams(DFD),usecasediagrams,orcomponentdiagrams.
    Thismethodiscommonlyusedtothreatmodelnetworksandsystemsandhasbeenadoptedasthedefacto
    standardforthreatmodeling.AgoodexampleofasoftwarecentricapproachisMicrosoftsSecure
    DevelopmentLifecycle(SDL)framework.BoththeMicrosoftSDLandThreatAnalysis&Modeling(TAM)tools
    illustratethreatmodelingbymeansofDFDs.
    WithitsproductThreatModeler,MyAppSecurityprovidesathreatmodelingframeworkthatencompassesa
    highlevelcomponentbaseddesign,combinedwithasoftwarecentricapproach.Fromthethreatmodel,
    threatstoeachcomponentaredisplayedandspecificsecuritycontrolsareidentifiedthatwillmitigatethe
    threats,alongwithsecurecodingstandardsthatshouldbeappliedduringtheapplicationdesignphase.

    AssetCentricThreatModeling:
    Anassetcentricapproachinvolvesidentifyingtheassetsofanorganizationentrustedtoasystemorsoftware,
    (i.e.),dataprocessedbythesoftware.Assetsareclassifiedaccordingtodatasensitivityandtheirintrinsicvalue
    toapotentialattacker,inordertoprioritizerisklevels.
    Usingthisapproachtothreatmodeling,attacktrees,attackgraphs,ordisplayingpatternsbywhichanasset
    canbeattackedaregenerated.Securityprofessionalsoftenarguethatthisapproachshouldnotbeclassified
    asthreatmodeling,butissimplytheinevitableresultofasoftwarecentricdesignapproach.
    Thisapproachhelpsidentifymultistepattacksandpathsbywhichanattackercanreachanasset.Basedon
    riskanalysis,thesepathscanthenbeweightedandprioritizedaccordingly.TrikeandAmenazasSecuritree,
    bothsupportthecreationofattacktrees,whileThreatModelerautomaticallygeneratesattacktreesfromthe
    dataprovidedinthesoftwarecomponentthreatmodel.

    AttackerCentricThreatModeling:
    Anattackercentricapproachtothreatmodelingrequiresprofilinganattackerscharacteristics,skillset,and
    motivationtoexploitvulnerabilities,andthenusingthoseprofilestounderstandthetypeofattackerwhowould
    bemostlikelytoexecutespecifictypesofexploits,andimplementamitigationstrategyaccordingly.
    Theattackercentricapproachalsousestreediagrams.Keyelementsofthisapproachincludefocusingonthe
    specificgoalsofanattacker,thevariousconsiderationsrelatedtothesystemuponwhichtheattackcouldbe
    perpetrated,alongwithitssoftwareandassets,howtheattackcouldbecarriedout,andfinally,ameansto
    detectormitigatesuchanattack.Ananalystmayalsolistandanalyzerelatedattackpatternsorapproachesto
    makethesesamedeterminations.
    Anexamplewouldbeanattacktoobtaininformationfromabackenddatabase.Theconsiderationswouldbe
    toensurethatadatabaseisbeingusedatthebackend,alongwiththemeanstoenterdatabasequeriesas
    input,andfinallyavoidingdetectionandpreventionmechanisms.TheapproachwouldbespecificSQL
    Injectioncommandsforthedatabaseidentified,orthepotentialuseoftoolsbywhichtheexploitationprocess
    couldbeautomated.

    ThreatModeler,MyAppSecuritysflagshipoffering,istheindustrysfirstautomated,scalable,andrepeatable
    threatmodelingproduct.PleasecontactustolearnmoreaboutThreatModeler.

    References:
    http://www.myappsecurity.com/threatmodeler/
    http://www.microsoft.com/security/sdl/default.aspx
    http://en.wikipedia.org/wiki/Threat_model
    http://www.csl.sri.com/projects/cam/
    0

    Relatedposts:
    1. ComparisonofThreatModelingMethodologies
    2. Top5ReasonstoImplementThreatModeling
    3. ThreatModeling:Past,PresentandFuture

    http://myappsecurity.com/approachestothreatmodeling/

    2/3

    24/04/2015

    3ApproachestoThreatModeling

    4. ComparingThreatModelertoMicrosoftThreatModelingTool(TMT)

    Commentsareclosed.

    (C)CopyrightMyAppSecurity201315

    http://myappsecurity.com/approachestothreatmodeling/

    3/3

    Das könnte Ihnen auch gefallen