Threat modeling is a structured approach to identifying and mitigating potential security threats in a system or application. The two main ways to create visual representations for threat modeling are using Data Flow Diagrams (DFDs) or Process Flow Diagrams (PFDs).
A] Data Flow Diagram (DFD) Approach:
Overview:
- Purpose: Visualize how an application processes, stores, and manipulates data within a system.
- Methodology Examples: Microsoft, PASTA, Trike.
Steps: a. View System as an Adversary:
- Consider how an attacker might exploit vulnerabilities in the system. b. Characterize the System:
- Understand how data flows within the application and the infrastructure. c. Determine Threats:
- Use the STRIDE threat classification scheme to identify broad categories of threats.
Weaknesses:
- DFDs might not accurately represent the application’s design and user interactions.
- Limited threat identification, making it a weak starting point for modeling.
- Lack of standardization, leading to different threat models for the same scenario.
B] Process Flow Diagram (PFD) Approach:
Overview:
- Purpose: Overcome limitations of DFD by focusing on how attackers navigate through the application.
- Designed to: Illustrate how attackers think and emphasize abusing ordinary use cases.
Steps: a. Design Application’s Use Cases:
- Identify and define the various interactions users have with the application. b. Define Communication Protocols:
- Specify how users move between different use cases. c. Include Technical Controls:
- Consider elements like forms, cookies, and other controls in the threat modeling.
Advantages:
- PFD-based threat models are easy to understand and don’t require deep security expertise.
- Creation of a process map helps understand the application from an attacker’s perspective.