Threat Modeling

Threat modeling involves determining who would be most likely to attack a system and what possible ways an attacker could compromise the system. The results of a threat modeling exercise help determine what risks the threats are to a system and what security precautions should be taken to protect the system. In Chapter 8 we will look at how threat profiling plays an integral part in the security development methodology.

Web applications and all computing systems use security procedures and tools to provide access to the system for legitimate users and to prevent unauthorized users from accessing the system. Different users are often allowed different types of access to a system. For example, a Web application may allow read-only access to the public and allow only authorized users to perform updates to data. A potential attacker wanting to compromise a system must look at what avenues are available in accessing the system, and then he must try to exploit any vulnerabilities. For example, if an attacker has only public read-only access, he can examine as much of the Web site as possible and try various attacks, such as malformed URLs, various FORM attacks, and so forth. Perhaps, after a thorough search, he may find the only attack he can perform is to fill up some customer service rep’s mailbox. But if the attacker discovers a legitimate logon account, further possibilities for attack open up to him. Once logged in as an authorized user, he is allowed access to more of the Web site, which allows him to try attacks at more points in the application. Perhaps he can now deface the Web site or alter data in a database. A threat model allows an assessment of what damage can be inflicted by an attacker who has specific types of access.