Step 5: Threat-Model the Vulnerabilities

Chapters 14 and 15 discuss how to use threat modeling to determine the security vulnerabilities of a system. This can be done during any phase of the project, but there are definite advantages in threat-modeling during the design phase of the system, and it commonly follows a set course:

1. Identify who the potential intruders are.

2. Brainstorm the ways an intruder could attack the system, and generate a list of vulnerabilities.

3. Rank the vulnerabilities by decreasing risk, where risk is equal to damage potential and chance of attack.

4. Choose the action to take for each vulnerability. For high-risk vulnerabilities, this means fixing the problem or changing the architecture so that the vulnerability is removed. For low-risk vulnerabilities, your response can be to fix or remove the vulnerability, or ignore, warn of, or limit the damage of the vulnerability. The action you take depends on the security level you decided to use for the system in step 2 earlier in the chapter. If you are constrained to the point that you can’t fix the vulnerability, it’s better to know about it during the design phase than to discover it when an intruder successfully attacks the system.

When looking at threat modeling, it’s useful to brainstorm the threats for the entire system, not just for the application you’re creating. You should consider other applications, the domain architecture, and all aspects of the system. If you have a limited budget and have to choose between fixing lockdown, authentication, or authorization issues, prioritize lockdown above everything else. Lockdown is the top priority because if an intruder can break into the system by bypassing authentication and authorization, spending time improving the other technologies is fruitless.