DevSecOps Threat Modelling Implementation on Simple Web Application

Executive Summary

When designing software or applications, an assessment needs to be carried out to find out what threats may arise. One way is to do threat modeling. Threat modeling is a proactive process of looking for threats in a software or application. When creating software or application models, we usually use two types of models, the model of what will be built, and the model of any threats that may arise.[1]

Requirements

The security goal of this exercise:

• Determine the appropriate threat modeling approach and method to do threat modeling before the implementation of DevSecOps.

• Can identify threats early and carry out mitigation to reduce the consequences of these threats.

Below are the requirements needed to implement threat modeling using STRIDE:

• Information relating to applications, services, and topologies used

• Approach method

• Framework

• Threat modeling tool

• Data flow diagram

Threat Modeling Approach & Framework

Research

In carrying out threat modeling, three approaches can be used according to OWASP as follows:

• Application-centric approach: visualizing the application.

• Asset-centric approach: identified by the list of assets.

• Attacker-centric approach: using attacker perspective.

After researching several of these approaches, I chose an application-centric approach by considering the data that can be taken as a reference for threat modeling.

Next, determine the framework that can be used with an application-centric approach. I researched several frameworks available for threat modeling. The following are some of the currently available frameworks for threat modeling:

• 1.

  LINDDUN

• 2.

  Attack Trees

• 3.

  TRIKE

• 4.

  STRIDE

• 5.

  VAST Modeling

• 6.

  PASTA

• 7.

  Persona non-Grata

• 8.

  Quantitative TMM

• 9.

  hTMM

• 10.

  CVSS

• 11.

  OCTAVE

• 12.

  Security Cards

Next, I mapped the framework based on the approach, and the following results were obtained:

• Asset-centric: STRIDE, LINDDUN, Security Cards, Quantitative TMM, VAST Modeling, OCTAVE, PASTA.

• Attacker-centric: PASTA, Persona non-Grata, hTMM, TRIKE, Attack Trees.

• Application-centric: STRIDE, CVSS, Attack Trees, Security Cards, VAST Modelling, OCTAVE.

The following are the results of comparative research from several of the frameworks above.

In determining the approach and method, the following are the criteria I determined for making the selection:

• Easy to use

• Using data/information that is easier to obtain

• Can use tools

• One of the mature frameworks

Based on the criteria above and the results of comparative research on several approaches and frameworks, the application-centric approach using the STRIDE framework was selected which meets all the specified criteria. Below is a threat modeling framework using STRIDE.

Design & Prototype

This is the design for doing threat modeling.

• 1.

  Conducted research into several threat modeling approaches and processes.

• 2.

  Determining the threat modeling approach and method based on research results to determine which is suitable.

• 3.

  Determining the scope for threat modeling in the internal environment.

• 4.

  Information collection for the selected scope environment.

• 5.

  Creation of Data Flow Diagrams.

• 6.

  List identified threats using STRIDE methodology and Microsoft Threat Modeling Tools.

Testing & Implementation

Scoping

The following are the testing conditions and implementation of this exercise with the scope of a simple “Web Application” environment for the DevSecOps threat modeling exercise.

Information Collection

Below is an example of simple web application architecture topology.

• a.

  Architecture topology.

  

• b.

  List of Applications/Service

  • User browser (Chrome, Mozilla, Edge, etc.)

  • HTTPS

  • Web applications

  • API

  • Web service

  • Database server

Data Flow Diagrams

The first step is to create a Data Flow Diagram (DFD). DFDs play a fundamental role in threat modeling by providing a clear visual representation of how data moves through a system. Their primary function is to help analysts and security teams identify potential threats and security vulnerabilities within an application's architecture.

Threat Model Summary

Total Threats: 31

Threats List

After creating the DFD, we identify potential threats to each element using a structured approach with the STRIDE method.

In the table created, we can enter information such as Threat, Category, Description, and Priority.

• Threat: Contains the types of attacks that can be used by attackers according to the elements used.

• Category: Attack categories based on STRIDE elements (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).

• Description: Detailed explanation regarding attack activity.

• Priority: Priority in carrying out repairs is based on the severity level of the risk value of each type of attack. Determining the risk value can be calculated using the CVSS (Common Vulnerable Scoring System) calculator independently, referring to companies that have already carried out calculations, or from CVEs that have been publicly released.

• a.

  API (Web App - Web Service)

  

  
  

  No	Threat	Category	Description	Priority
  1	Web Application Process Memory Tampered	Tampering	Web applications can tamper with web services if given memory access.	Critical
  2	Replay Attacks	Tampering	Packets without sequence numbers can be intercepted and retried in other ways.	Medium
  3	Collision Attacks	Tampering	Attackers can overlap data by sending a series of packets.	Medium
  4	Weak Authentication Scheme	Information Disclosure	Vulnerable to common weaknesses in authentication	High
  5	Elevation Using Impersonation	Elevation of Privilege	Web services can seek additional privileges by imitating the context of a web application	High

  
  

• b.

  API (Web Service - Web App)

  

  
  

  No	Threat	Category	Description	Priority
  1	Web Service Process Memory Tampered	Tampering	Web service can tamper with web applications if given memory access.	Critical
  2	Cross-Site Scripting (XSS)	Tampering	If the input is not properly sanitized, web applications can be subject to XSS attacks.	High
  3	Elevation Using Impersonation	Elevation of Privilege	Web services can seek additional privileges by imitating the context of a web application	High

  
  

• c.

  Database Request

  

  
  

  No	Threat	Category	Description	Priority
  1	Spoofing of Destination Data Store Database	Spoofing	An attacker can spoof the database which can cause data to be written to the target.	High
  2	Potential SQL Injection Vulnerability for Database	Tampering	SQL injection is a type of cyber-attack that targets web applications by exploiting vulnerabilities in their SQL database interactions	High
  3	Potential Excessive Resource Consumption for Web Service or Database	Denial of Service	Attacks that use resource consumption are possible when the web or database controls resources by taking explicit steps.	Medium
  4	Weak Credential Storage	Information Disclosure	Credentials on the server can be exposed, and credentials on the client can be stolen.	High
  5	Risks from Logging	Tampering	Log files can be used to attack the log readers	Medium
  6	Lower Trusted Subject Updates Logs	Repudiation	Too many people writing logs can be a problem in repudiation.	Medium
  7	Data Logs from an Unknown Source	Repudiation	Logs from unknown external users must be identified	Medium
  8	Insufficient Auditing	Repudiation	Log data that is not captured properly will complicate the audit process.	Medium
  9	Potential Weak Protections for Audit Data	Repudiation	Attacks on audit mechanisms such as log deletion may occur.	High

  
  

• d.

  Database Response

  

  
  

  No	Threat	Category	Description	Priority
  1	Spoofing of Source Data Store Database	Spoofing	An attacker can spoof the database which can cause data to be written to the target.	High
  2	Weak Access Control for a Resource	Information Disclosure	Confidential information may be read by attackers if database protection is not performed properly.	High
  3	Risks from Logging	Tampering	Log files can be used to attack the log readers	Medium

  
  

• e.

  HTTPS (Browser - Web App)

  

  
  

  No	Threat	Category	Description	Priority
  1	Cross-Site Scripting	Tampering	If the input is not properly sanitized, web applications can be subject to XSS attacks.	High
  2	Elevation Using Impersonation	Elevation of Privilege	Web applications can seek additional privileges by imitating the context of the user’s browser	High
  3	Potential Data Repudiation by Web Application	Repudiation	Web applications do not accept data from outside sources that are not trusted but this can happen without being noticed	Medium
  4	Potential Process Crash or Stop for Web Application	Denial of Service	Web applications can experience several obstacles.	Medium
  5	Data Flow HTTPS Is Potentially Interrupted	Denial of Service	External agents can disrupt data flow.	High
  6	Web Application May be Subject to Elevation of Privilege Using Remote Code Execution	Elevation of Privilege	User browsers can be exploited using remote code execution exploits from web applications	Critical
  7	Elevation by Changing the Execution Flow in Web Application	Elevation of Privilege	Data to a web application can be passed by an attacker to change the program flow.	High
  8	Cross-Site Request Forgery	Elevation of Privilege	CSRF is a type of cyber-attack where an attacker tricks a user into performing actions on a web application without their consent or knowledge	Medium

  
  

• f.

  HTTPS (Web App - Browser)

  

  
  

  No	Threat	Category	Description	Priority
  1	Spoofing of the User Browser External Destination Entity	Spoofing	An attacker can spoof a user's browser to send data to the attacker.	Medium
  2	External Entity User Browser Potentially Denies Receiving Data	Repudiation	User browsers do not accept data from outside sources that are not trusted but this can happen without being noticed	Low
  3	Data Flow HTTPS Is Potentially Interrupted	Denial of Service	External agents can disrupt data flow.	High

  
  

Conclusion & Lesson Learned

From the implementation of threat modeling for simple web applications, 31 threats were identified. All these threats still need to be validated later, to see which threats have been mitigated, and which ones have not.

The following are the advantages that I can take from doing threat modeling.

• 1.

  Early detection of security flaws

• 2.

  Improved understanding of the system

• 3.

  Enhanced risk management

• 4.

  Compliance and standards adherence

• 5.

  Informed decision-making

• 6.

  Enhanced communication and collaboration

• 7.

  Improved security posture

• 8.

  Increased confidence in doing business

• 9.

  Continual improvement

• 10.

  Reduced incident response costs

In summary, threat modeling is a strategic process that not only helps in identifying and mitigating security risks early but also improves overall system understanding, promotes better communication, ensures compliance, and enhances the security posture of an organization.

References

• [1]

  “Adam Shostack - Threat Modeling_ Designing for Security-Wiley (2014)”.

• [2]

  “OWASP DevSecOps Guideline - v-0.2 | OWASP Foundation.” Accessed: Apr. 08, 2024. [Online]. Available: https://owasp.org/www-project-devsecops-guideline/latest/00b-Threat-modeling

• [3]

  L. Obiora Nweke and S. D. Wolthusen, “A Review of Asset-Centric Threat Modelling Approaches,” 2020. [Online]. Available: www.ijacsa.thesai.org

• [4]

  M. J. Coles, “Izar Tarandach & Threat Modeling A Practical Guide for Development Teams.”