declan bright

Attribute Driven Design with Threat Modelling

Threat Modelling

This expands on the topic of Attribute Driven Design in Software Architecture to include threat modelling as a design activity.

Threat Modelling

Threat modelling is the proactive process of identifying potential threats to a software system. Once identified, countermeasures are then defined to prevent or mitigate the threats.

Performing threat modelling early in the software development life-cycle, i.e. as part of the initial design activities, can prevent the need for costly refactoring work later on. However, threat modelling is not a singular task, the models should evolve in an iterative manner throughout the life-cycle of the software.

STRIDE

STRIDE is one of several approaches to threat modelling, it's an acronym for the common threat categories: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service & Elevation of privilege.

Each of these threat categories align with one or more quality attributes, therefore this approach overlaps nicely with the Attribute Driven Design process as it also focuses on quality attributes.

The associated quality attributes are listed for each threat category below:

Spoofing

A spoofing attack is where a person or program successfully masquerades as another.

Quality Attribute/s:
Securability (Authenticity/Authentication)
Remediations:
encryption, strong password policy, session management, authentication token lifetime, multi-factor authentication

Tampering

Tampering is where an attacker maliciously modifies; data in transit, data at rest or data in process.

Quality Attribute/s:
Integrity
Remediations:
validation/scrubbing of users' input, security scans with static code analysis and composition analysis tools (scanning 3rd party dependencies) to identify known security vulnerabilities

Repudiation

Repudiation is where there is no proof that an attacker did something they shouldn't have done.

Quality Attribute/s:
Auditability
Remediations:
comprehensive logging and auditing with write-only access

Information disclosure

Information disclosure is where an attacker gains access to data they shouldn't have access to, also known as a data breach.

Quality Attribute/s:
Securability (Confidentiality)
Remediations:
data encryption (HTTPS/TLS), only expose the necessary services/data stores/files to users, role-based access controls, data masking, exclude business data and PII/PHI from logs

Denial of Service

Denial of Service (DoS) is where an attacker performs activities to prevent legitimate users from utilising the system, i.e. submits superfluous requests to; consume available resources (CPU/memory/connections), fill up storage/disk space etc.

Quality Attribute/s:
Availability, Reliability, Resilience & Recoverability
Remediations:
monitoring/alerting, log rotation & separation, auto-scaling limits, network rate-limiting, firewalls, intrusion prevention systems

The major cloud vendors provider solutions to mitigate DoS attacks: AWS, Azure, GCS


Elevation of Privilege

Elevation of privilege is where an attacker manipulates the system to gain a higher level of access than intended.

Quality Attribute/s:
Securability (Authorisation)
Remediations:
role-based access controls, apply the principle of least privilege

Tooling for Threat Modeling

Threats generally follow data therefore it's quite common to use data flow diagrams when modelling a system for threats. The Microsoft Threat Modeling Tool is a useful tool for visually modelling the; components, data flows and security boundaries of a system.

Once the data flows have been modelled, the tool uses a set of rules to automatically generate a list of threats, where each threat is assigned to one of the STRIDE threat categories. Custom rules can also be configured.

Performing Threat Modelling as a Design Activity

The threat models should be evaluated during each design iteration of the Attribute Driven Design process and updated where appropriate. Changes to the threat model will most likely generate new potential threats. As you work through the mitigation for each threat you can ensure that it is covered by the quality attribute scenarios and update the system design if required.

Conclusion

By performing threat modelling, you examine a software system from a security perspective, in other words, it prompts you to think like a malicious hacker. Practicing it as an ongoing design activity, during each iteration of the Attribute Driven Design process, ensures that security is considered early in the development life-cycle, and will help to keep your system secure as the system evolves.

Further Reading

View Comments