Threat modelling – Is your project at risk?

Any web and mobile application can put your organization at risk, if done incorrectly. But there is a proven process that, combined with expert support,...

Monday August 22, 2016

Any web and mobile application can put your organization at risk, if done incorrectly. But there is a proven process that, combined with expert support, can help mitigate that risk.

Strategic threat modelling: We use threat modelling as a strategy for identifying and dealing with threats against the things that you are building.

Who is involved? To be successful, it is important to involve your entire team &; project management, developers and QA, and systems, as each plays an important role in evaluating and mitigating risk posed by threats.

Threat modelling process
There are three stages in the Threat Modelling process:

  1. Questioning if your project is at risk,
  2. Designing your project and identifying the threats,
  3. And answering: “What are we going to do?”

Stage One - Is my project at risk?
The threat modelling process begins by reviewing the project and threat sources.

  • Consider assets that might be threatened – tangible and intangible
  • What kinds of attackers might be interested in the project?  What might they want?
  • Does the project control or potentially expose any sensitive or what could be deemed as lucrative data? Examples include applications that facilitate payments or collect financial data, or collects personal or health information.
  • Am I part of an organization that is likely to be targeted by hackers?
  • Does the project need to be highly accessible?
  • Does the project have unique up-time requirements?
  • Will the project have high visibility when launched?
  • How would a threat affect our reputation?

Stage Two - Identifying the threats
When a project and threat source review is complete, perform a risks analysis.

  • Create a data flow/architecture diagram for the application
  • Show which processes talk to which other processes and to external entities

The diagram will help you to see where sensitive data flows in/out of Trust Boundaries. From that, threats can be brainstormed against various parts of the diagram. This stage typically includes technical staff and can be facilitated by a project manager.

Stage Three - What are we going to do?
Now that threat analysis is done, prepare a plan to proactively address the potential threats identified.

Email us for more information about threat modelling.   

Jeremy Wolf is a senior member of the eSolutions Quality Assurance team. He is responsible for helping ensure the secure, trouble-free deployment and integration of web and mobile applications for eSolutions clients. A University of Waterloo computer science graduate, he has a background in mathematics and software development including threat modelling, Artificial Intelligence, assemblers, compilers, and operating systems, security and networking, 3D graphics, and UI.  

Let's Talk
  • Services
  • Creative
  • pingstreet

© eSolutionsGroup 2018