Attribute Driven Design with Threat Modelling

This article expands on the topic of Attribute Driven Design in Software Architecture to include threat modelling as a design activity.

Threat Modelling

Threat modelling is the proactive process of identifying potential threats to a software system. Once identified, countermeasures are then defined to prevent or mitigate the threats.

Performing threat modelling early in the software development life-cycle, i.e. as part of the initial design activities, can prevent the need for costly refactoring work later on. However, threat modelling is not a singular task, the models should evolve in an iterative manner throughout the life-cycle of the software.

STRIDE

STRIDE is one of several approaches to threat modelling, it's an acronym for the common threat categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service & Elevation of privilege.

Each of these threat categories align with one or more quality attributes, therefore this approach overlaps nicely with the Attribute Driven Design process as it also focuses on quality attributes.

The associated quality attributes are listed for each threat category below:

Spoofing

A spoofing attack is where a person or program successfully masquerades as another.

Quality Attribute/s:: Securability (Authenticity/Authentication)
Remediations:: encryption, strong password policy, session management, authentication token lifetime, multi-factor authentication, authorisation policy

Tampering

Tampering is where an attacker maliciously modifies; data in transit, data at rest or data in process.

Quality Attribute/s:: Integrity
Remediations:: validation/scrubbing of users' input, security scans with static code analysis and composition analysis tools (scanning 3rd party dependencies) to identify known security vulnerabilities

Repudiation

Repudiation is where there is no proof that an attacker did something they shouldn't have done.

Quality Attribute/s:: Auditability
Remediations:: comprehensive logging and auditing with write-only access from the system creating the audit records

Information disclosure

Information disclosure is where an attacker gains access to (and/or extracts) data they shouldn't have access to, also known as a data breach.

Quality Attribute/s:: Securability (Confidentiality)
Remediations:: data encryption (HTTPS/TLS), only expose the necessary services/data stores/files to users, role-based access controls (RBAC), data masking, exclude business data and PII/PHI from logs, data leak/loss protection (DLP)

Denial of Service

Denial of Service (DoS) is where an attacker performs activities to prevent legitimate users from utilising the system, i.e. submits superfluous requests to; consume available resources (CPU/memory/connections), fill up storage/disk space etc.

Quality Attribute/s:: Availability, Reliability, Resilience & Recoverability
Remediations:: monitoring/alerting, log rotation & separation, auto-scaling limits, network rate-limiting, firewalls, intrusion prevention/detection systems

The major cloud vendors provide solutions to mitigate DoS attacks: AWS, Azure, GCS

Elevation of Privilege

Elevation of privilege is where an attacker manipulates the system to gain a higher level of access than intended.

Quality Attribute/s:: Securability (Authorisation)
Remediations:: role-based access controls (RBAC), apply the principle of least privilege

Tooling for Threat Modeling

Threats generally follow data therefore it's quite common to use data flow diagrams when modelling a system for threats

The Microsoft Threat Modeling Tool is a useful tool for visually modelling the; components, data flows and security boundaries of a system. Once the data flows have been modelled, this tool applies a set of rules to automatically generate a list of threats, where each threat is assigned to one of the STRIDE threat categories. Custom rules can also be configured.

Performing Threat Modelling as a Design Activity

The threat models should be evaluated during each design iteration of the Attribute Driven Design process and updated where appropriate. Changes to the threat model will most likely generate new potential threats. As you work through the mitigation for each threat you can ensure that it is covered by the quality attribute scenarios and update the system design if required.

Conclusion

By performing threat modelling, you examine a software system from a security perspective, using a structured and proven approach. Practicing it as an ongoing design activity, during each iteration of the Attribute Driven Design process, ensures that security is considered early in the software development life-cycle, and will help to keep your system safe and secure as it evolves.