Web application security - the fast guide 1.1

Chapter 3 - Vulnerabilities and threat models P a g e | 48 3.2 Threats risk modeling Figure 19: Threats modeling process 3.2.1 Definition: Threat modeling is a process that allow application developer to identify, understand and rate main threats that might affect the application giving a better view that will help implementing countermeasures to secure the application. This task is not a one-time task it should be iterative to evolve with the application and to give better opportunity to better identify threats and vulnerabilities. 3.2.2 Threat modeling process: This process as originally developed by Microsoft is composed of steps described as follow: 1. Identify assets and security objectives: this is the step to be able to locate and identify everything that has value that your application deal with and that you have to protect. This might vary from confidential information to company reputation. Information that we generally need to collect are related to:  Value of the asset to adversaries.  Cost to replace the asset if lost.  Operational and productivity costs incurred if the asset is unavailable.  Liability issues if the asset is compromised. After prioritizing assets, a set of security objectives are to be specified. 2. Creating an architecture overview: this includes identifying all functionalities of the application, subsystems and used technologies.

Web application security - the fast guide 1.1 | Page 48