Web application security - the fast guide 1.1 | Page 49

Chapter 3 - Vulnerabilities and threat models
P a g e | 49
The output of this step is an architecture diagram along with list of used
technologies and versions.
3. Decompose the application: this step is about having better
understanding and identifying what are the data consumed by
application and where it comes from, who it will be accessed this is
done through:
a. identifying trust boundaries.
b. Identifying data flow
c. Identify entry points
d. Identify privileged code
e. Document the security profile including how the application
deals with (input validation, authentication, authorization,
configuration
management,
session
management,
Cryptography,
parameters
manipulation,
exception
management and logging.
4. Identifying and rating threats:
This task can be a little difficult because it needs lot of experience this
is why we normally use special methods and schemes to facilitate
categorizing and rating different threats.
From the common schemes we mention STRIDE, IIMF, DREAD, CVSS,
CIA
STRIDE
IIMF
Threats and
vulnerabilities models
CVSS
CIA
Figure 20: Threats and vulnerabilities models
DREAD