Tweak Your Biz » Technology » Better Web Apps Security With Threat Risk Modelling

Better Web Apps Security With Threat Risk Modelling

by Richie Bowden on May 11th, 2011
13 Comments



Prevention is the best form of cure! This rule also applies when assessing a web application in terms of security risks or any potential to be hacked. Rather than adopt an ad-hoc approach, it’s better to plan out a structured assessment to identify and prioritise the important risks and threats. Such an assessment is known as threat risk modelling.

The appropriate time for this type of assessment is when you are in the initial stages of designing the application, even before starting to develop it. This will help save time and effort by identifying risky features that facilitate hacking as well as preventing wasted development effort on particular controls that are of little use to combat real risks.

There are different methods to complete threat risk modelling, each with their own benefits. So adopt a method that you find useful, but also one that follows the following principles.

How important is a security review

Threat risk modelling generally starts with a set of objectives, rather than a single one, to help assess the priority of the review, how much effort is required and to identify the important application(s) that should be covered by the review. To help identify an appropriate set of security objectives, you could consider the following categories:

  1. Financial – assess the level of potential financial risk if an application is hacked. For example, an online payments application has a greater financial risk than a brochure type website with ‘static’ content on a company’s products or services
  2. Identity – is a customer’s or staff’s identity at risk from being stolen. With certain applications, a user may be required to prove their identity in order to access particular services. In such situations, the application must provide sufficient protection so that this information cannot be compromised in any way
  3. Privacy and regulatory commitments – given the type of data used by the web application, varying levels of protection are warranted. For example, public comments on a blog are open for everybody to read, whereas personal data, as defined by the Data Protection Commissioner require greater protection to ensure that this information is secure. In addition, Regulatory requirements can influence what information is to be accepted via a web application. For example, Money Laundering regulations require that various forms of identification are presented, when making particular financial applications, so consideration needs to be given as to how this is handled using an web application – whether by hard copy via a related paper application or via a scanned upload
  4. Reputational risk – what would be the damage to your organisation if this web application was found to be hacked. The greater the reputational risk, the greater the need to focus on securing the application
  5. Application availability requirements – when an application is hacked, it generally needs to be taken off-line for a period of time to correct any damage caused by the hacker. To that end, if there is a service level agreement associated with the application that customers expect to be met or is required in order to provide a crucial public service, then this should lead to a great security prevention effort. This also relates to reputational risk, when a user wishes to access an online application only to find that it is offline due to a security breach, the user may move to a competitor for that service

Time for some deep analysis

With the objectives agreed and the important application(s) identified, it is then time to investigate each application in detail to list the features/functions that merit a threat analysis. It is best to start progressively reviewing each application from the top-down, starting with it’s architecture. After reviewing the architecture to identify potential areas of risk, move on to identify the functions and data flows associated with these areas of risk.

This analysis of the related functions and data flows involves reviewing;

  • What data is entered and viewed by a user
  • How data is sourced and displayed
  • All related authentication and authorisation functions that are completed within each function and data flow
  • The relevant design decisions and assumptions made by the application architects and developers

To correct the vulnerabilities, identify the threats

Knowing the detail of your application, you can then compile a set of likely threats which could occur based on current known threats. You can document these threats either by graphing them or by making a simple list. An example of a typical threat graph, taken from the OWASP guide is shown below.
Using a threat graph to plan better web applications security

From the graph or list of likely threats, the important weaknesses in the application can be identified. Once the specific weaknesses are known, remedies as shown in the green boxes in the threat graph can be designed and developed into an updated application.

In a follow-on article, I will discuss other elements of threat analysis, including the importance of understanding the context of threats, the type of hacker that you need to combat and different classification schemes that assist in prioritising threats based on their likely impact and context. Please share your comments below.



Category: mobile technology, websites

Tags: , , , ,

The Author:

Richard is a believer and advises companies on the use of Cloud services, Agile and Lean start-up principles. His focus is on innovative solutions that bring practical business benefits. He has over 18 years experience in a variety of IT roles, including over 10 years management experience working for companies such as IBM Software, Oracle & KPMG Consulting. In his various roles, his focus has been on rolling out innovative IT solutions and services, using user centered design to deliver practical business benefits. Richie is a PMI certified Project Management Professional and a certified Scrummaster. http://www.rbconsulting.ie

Read more and connect »

Add Your Comment

  • http://www.btbtraining.com/blog Niall Devitt

    Hi Daniel, welcome to Bloggertone! This is a brilliant social media success story & demonstrates so effectively how leveraging your SM channels can have a seriously positive impact for any business (big or small) What I love about this is that your efforts are continuing to pay off today. Love the vid :)

  • http://www.ivanwalsh.com Ivan Walsh

    Hi Daniel,

    Daisy may be your secret weapon for future promotions. People like reading about other people… and also about animals.

    You could consider creating a series of videos with Daisy around a theme and build on this. Seems like it’s a runner from the hits you got.

    If she agrees :) of course.

    Ivan

  • http://twitter.com/fredchannel Fred

    Hi Daniel. Welcome to Bloggertone. I love the campaign and the idea to work with Daisy.
    I totally agree with Ivan: Daisy should be the next star that will help Tradesmen.ie reach the next level.
    Think about themes and any ideas that involve visual content, video ideally and your new videos should get a lot more than 11K views :)

  • http://www.danielbeere.com Danny Beere

    Hi,
    Thanks a million for the Tweets and Comments. This is my first post here and I wasn’t expecting such a reaction. It’s pretty cool and cheers.
    @Niall, Yeah we are delighted to have won, and we really got ourselves ‘out there’ on the internet while campaigning too.
    @Ivan, Yeah thats a good idea, hopefully the fame didn’t get to her too much. Ha.
    Thanks again and looking forward to posting more in the future.
    All the Best,
    Dan

  • http://www.btbtraining.com/blog Niall Devitt

    One of the benefits of being part of a community vs going solo but who am I telling :)

  • http://www.michaelgholmes.com Mike Holmes

    This is some great stuff Daniel! I use Facebook and Twitter on a daily basis…but I really need to get into the video arena like you did. I believe there’s some great potential and opportunity there…thanks for reminding me of the necessity.

  • http://www.danielbeere.com Daniel Beere

    Cheers Mike, Yeah Video does really account a lot of Internet usage these days. I think Youtube is the best out there or maybe Vimeo. Hope all is well.
    Sound,

    Dan

  • http://twitter.com/drofsocialmedia Brian Prenderville

    Well done Daniel !

  • http://twitter.com/BandAuction Chris Kelly

    Daniel,
    Congrats on the win.
    I think it’s great to have companies see the importance of social media within business.Videos like yours prove that even though it’s necessary to have a very polished look in business, you can sometimes get more positive exposure by showing the human(cow) element of not getting it right first time..
    Was good to meet at KLCK Bloggers network last week.

    Chris.

  • http://www.localtraders.com Rosie Isaacs

    I think that everyone is cottoning on to the power that social networks can have and provide, pretty much free advertising! It seems like you’ve used viral advertising really effectively

  • http://www.tweakyourbiz.com Niall Devitt

    Great post Richie, perhaps slightly sideways comment but I’m seeing a lot of Facebook apps at the moment that are clearly breaking Facebook’s TOS. The overall point here I think is that there is a bit more to it than just designing a funky or useful app?

  • Facundo

    Interesting framework Richie. I wonder how one can implement an abridged version to serve clients better since not everyone would pay for such analysis nor have the capacity to do it themselves. n

  • AnujKumarSaini

    Thanks so much for
    this post. There is very good and helpful information in this post. Keep up the good
    work.

    Also
    go to the link below to know new mobile application for iPhone and iPad, named
    ‘GlobalSosurcer’.

    Outsourcing
    Value Assurance

Related Posts


«
»