Here be dragons
OWASP released its tool called Threat Dragon. It’s a free threat modeling tool that you can download right away. It’s not a big thing yet, but it might be in the near future. Let’s take a look why.
First of all, threat modeling is not a silver bullet for bugs in an existing application. It is a process of discovering potential security vulnerabilities in early stages of development. It’s a thing that you do on a blackboard even before you start coding. It might sound boring but in fact you do threat modeling every day without knowing it.
You start the engine of your car and threat modeling is already in progress. You check that car headlights are working because it is dark outside, and lack of view is a threat. You check that windows are in place, because it’s cold and windy. You check that oil and gas levels are ok because it might cause trouble. Oh, the coolant is low but we know how to mitigate this threat.
Threat modeling is basically planning! When done properly it could assess the probability, potential harm and priority of threats.
So, in IT security we use threat modeling to predict what might go wrong.
In most cases developers have little experience with security, their main goal is to deliver a product with certain features. We ask them to draw a diagram how a product or a feature is supposed to work. Then we can point at potential vulnerabilities and even teach developers to detect security flaws on their own.
Ok, let’s dive into modeling.
Developer draws a simple model of a web-based application that looks like this.
Then we ask how are users supposed to authenticate there? Oh, we’ve forgot the database with all the user accounts. Let’s add it.
Wait, this database is somewhere else. It’s not even in the same network, so we have to add Trust boundaries. Let’s add it too.
Ok, does this looks convincing? It’s better than nothing, so let’s identify threats. OWASP Threat dragon is still in development, so there’s no rule engine yet. But we can use STRIDE model. STRIDE is a basic set of threats (Spoofing, Tampering, Repudiation, Info Disclosure, Denial of Service, and Elevation of Privilege).
Let’s analyze web request:
Great, these are main things to consider:
- Web Request can be tampered.
- Information in web request could be disclosed.
- Web requests are base for DoS attacks.
Let’s get back to our developers and discuss what can be done to fix this. Let’s encrypt this communication and deploy our application in DoS protected environment. This is the idea, we go step by step with every communication and see what we can improve.
OWASP Threat dragon is version 1.1 now, but it’s still in its early stages of development. You can get from Github for Windows, Linux and MacOS.