Application Security Auditing: Threat Modeling, Vulnerability Assessment and Penetration Testing

Introduction

      Threat modeling is a powerful tool that identifies the highest risk areas within an application and ties them to known  attacks and countermeasures. By leveraging a deep understanding of the application's business logic and design, organizations that employ threat modeling can significantly reduce attack vectors before ever coding an application. Additionally, threat modeling is used extensively with existing applications to prioritize in-scope components for code review and application penetration testing.

Overview

• Find possible vulnerabilities in the design of an application
• Determine necessary countermeasures to potential attacks
• Prioritize components for run-time and source code analysis in large applications

Key Business Benefits

• Cost reduction through prioritization of other application security testing activities
• Threat modeling also allows architects and designers to evaluate the design of the application for vulnerabilities in the design phase
• Threat modeling can be perceived as an asset, as it can be used in future releases to evaluate whether new security controls need to be put in place or whether existing controls are sufficient

Methodology

• Gather Information: Understand the application's use cases, business requirements, data types, technical design, and other information by interviewing key stakeholders and analyzing diagrams
• Decompose Application: Break application out into user roles, data types, and hardware/software components used
• Data Flow Diagram (DFD): Map out data flow between logical components at various levels of granularity. This demonstrates a strong awareness of application flow and serves as a base for understanding the root cause of vulnerabilities found in testing activities of the application security program.
• Debug and Reverse Engineering: One of the most powerful tools in the arsenal of a security application developer. It will give an insight into the code and functions especially when manipulated with memory heaps or processing loops.
• Security Source Code Review: Provides a deep analysis of software source code to search for accidental and malicious inbuilt security weaknesses. A security source code review enables a scrutiny of application code to detect accidental security vulnerabilities and deliberate application back-doors.
• Identify Risk: By either leveraging previous application/data classification efforts, or creating them for the first time in this application, consultants identify varying levels of risk for data types used in the application
• Use Cases: Outline the major uses cases for the application and analyze each for potential threats to confidentiality, integrity, and availability
• Attack Trees: Determine possible attacks for each attack vector outlined in the use case, prioritized by risk. Determine countermeasures for each attack and use this as either a basis for application design or as a checklist during penetration testing / source code review.