"Secure web applications by design"
Services Resources About Us
◊ Secure Application Design
◊ Training
◊ PCI Assessments
◊ Pen Testing 		◊ SDLC Improvement
◊ Threat Classification
◊ Industry Links
◊ Tools 		◊ Mission
◊ Affiliations
◊ Past Projects
Threat Classification
Our training details a more comprehensive threat model.  But for organizations just getting started in threat modeling, the following are some well accepted models:

WASC

The Web Application Security Consortium (WASC) is an international group of experts, industry practitioners, and organizational representatives who produce open source and widely agreed upon best-practice security standards for the World Wide Web.  The Web Security Threat Classification is a cooperative effort to clarify and organize the threats to the security of a web site. The members of the Web Application Security Consortium have created this project to develop and promote industry standard terminology for describing these issues. Application developers, security professionals, software vendors, and compliance auditors will have the ability to access a consistent language for web security related issues.

DREAD

A simplistic rating system used at Microsoft, the DREAD model is used to help calculate risk. By using the DREAD model, you arrive at the risk rating for a given threat by asking the following questions.

* Damage potential: How great is the damage if the vulnerability is exploited?
* Reproducibility: How easy is it to reproduce the attack?
* Exploitability: How easy is it to launch an attack?
* Affected users: As a rough percentage, how many users are affected?
* Discoverability: How easy is it to find the vulnerability?

You can use above items to rate each threat. You can also extend the above questions to meet your needs. For example, you could add a question about potential reputation damage:

STRIDE

STRIDE is an acronym for the taxonomy of security threats your application may face. The following six threat categories can help you identify vulnerabilities and potential attack vectors in your own applications.

Spoofing identity : An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password.

Tampering with data : Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet.

Repudiation : Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise—for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Nonrepudiation refers to the ability of a system to counter repudiation threats. For example, a user who purchases an item might have to sign for the item upon receipt. The vendor can then use the signed receipt as evidence that the user did receive the package.

Information disclosure : Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it—for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers.

Denial of service : Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats to improve system availability and reliability.

Elevation of privilege : In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself.
 
 
Home | Services | Resources | Privacy | Legal | Contact
 
Copyright © 2006 Security Crossing, All Rights Reserved.