Threat models are a very good way to make implicit security threats and mechanisms, into explicit threats and mechanisms, so that you can write requirements, build, and test that they do the job you intend. As a starting point, I like to use a modified version of STRIDE, which among other things cleanly maps threat to mechanism. This way when starting a new project, for example with SOA Web services, you can identify where the standards will help you.
Threat |
Mechanism |
Example Standard |
Spoofing |
Authentication |
WS-Security |
Tampering |
Digital Signature, Hash |
WS-Security + XML Signature |
Dispute |
Audit Logging |
None |
Information Disclosure |
Encryption |
WS-Security + XML Encryption |
Denial of Service |
Availability Services |
None |
Elevation of Privilege |
Authorization |
None |
Threat |
Mechanism |
Example SOA Standard |
Example REST Standard |
Spoofing |
Authentication |
WS-Security |
XML Signature (response only) |
Tampering |
Digital Signature, Hash |
WS-Security + XML Signature |
XML Signature (response only) |
Dispute |
Audit Logging |
None |
None |
Information Disclosure |
Encryption |
WS-Security + XML Encryption |
XML Encryption (response only) |
Denial of Service |
Availability Services |
None |
None |
Elevation of Privilege |
Authorization |
None |
None |
Threat modeling gives a concrete structure to a fairly abstract subject like analyzing software security capabilities in services, but as you see its not about the threats its about the security architecture elements. This is just an illustrative example not a complete threat model, but it does give an effective, context-sensitive way to look at tradeoffs in security architecture. In this example, SOA/WS-* has potentially more coverage the security mechanisms work on both the request and response side. In the next series of posts, we'll look slicing and dicing the threat model a layer deeper and how we can use it secure our services.
I agree the primary purpose should be the appropriate selection of controls. Threat modeling is a heuristic nothing more.
Posted by: Marinus | July 01, 2009 at 03:48 PM
What about code that is already in production? It seems difficult to threat model things that are already running business critical processes.
Posted by: Stan | July 07, 2009 at 08:39 AM