Menu

Introduction to PCI DSS (Payment Card Industry Data Security Standard)   Introduction to PCI DSS (Payment Card Industry Data Security Standard)   

Data Protection Act 1998   Data Protection Act 1998   

Secure HTML Practices   Secure HTML Practices   

SQL Injection Attack - Introduction and Mitigation Steps   SQL Injection Attack - Introduction and Mitigation Steps   

Cross Site Scripting (XSS) – Introduction and Mitigation Steps   Cross Site Scripting (XSS) – Introduction and Mitigation Steps   

Audit and Testing Tools for Web Application Security   Audit and Testing Tools for Web Application Security   

Threat Modeling for Web Application Security - Practice Guide   Threat Modeling for Web Application Security - Practice Guide   

Threat Modeling - Process Overview

Published on: 8/14/2014
Topic: Web Application Security
Think about Threat Modeling as the process to understand what all assets you need to protect, from whom you need to protect, how you protect, what is the implementation priority and what risk you live with if few of threats are not included in implementation scope.


Table of Contents

What is Threat Modeling?

The focus of this exercise should not be a software application but it should be done with business & user context. Once the threat analysis is conducted then you may certainly limit the implementation scope to software product as realized with the priority decision. For example you may fully cover the software specific scope but what if you admin/end users are storing system credentials on a file share etc. In spite of full implementation on software side this one weakness if exploited, it would make all other efforts useless.


Continue Reading: Importance of User Context