Tuesday, May 17, 2005

Threat Modeling Guide resource at Microsoft

Microsoft has an excellent resource for Threat Modeling here. This guide intends to speak on Threat Modeling and covers steps to create Threat Models.

For those new, let me brief about Threat Modeling: Threat Modeling is technique that encompass around security right from the Design phase. Applications should be secure by design, as well as secure by coding. Threat models when fully constructed can be seen as "attack patterns". It would enable all - architects to app coders, to successfully absorb threats, vulnerabilities and attacks.

Threat modeling revolves around three key stages:
1. Collecting background information for the application
2. Modeling the system : Typically in this stage you would draw boundaries around the app you develop and start seeing application from attackers prespective.
3. Determine threats : Once you have modeled the system, you determine the threats and develop some severity for each threat detected. This severity would be qualitative as well as quantitative. Quantitative in the sense, you apply STRIDE for the threats determined, and Qualitative in the sense you apply DREAD ranking. And finally you get the severity count for each threat determined. Higher the severity, higher is the app risk prone. And you could solve the problem, before it actually begins !!!



Post a Comment

<< Home