At a Glance: Web Application Threat Modeling

 

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Threat Modeling Web Applications

patterns & practices Developer Center

J.D. Meier, Alex Mackman, Blaine Wastell

Microsoft Corporation

May 2005

See the "patterns & practices Security Guidance for Applications Index" for links to additional security resources.

Home Page for Threat Modeling Web Applications

Summary: This provides a summary view of the main input, output and steps for creating threat models for Web applications. For detailed step by step instructions, see "How To: Create a Threat Model for a Web Application at Design Time".

Contents

Activity Overview
Activity Summary Table

Activity: Threat Modeling for Web Applications

Purpose: Identify relevant threats and vulnerabilities in your scenario to help shape your application's security design.

Input:

  • Key use cases and usage scenarios
  • Data flows
  • Data schemas
  • Deployment diagrams

Output:

  • A list of threats
  • A list of vulnerabilities

Activity Overview

The five major threat modeling steps are shown in Figure 1. You should progressively refine your threat model by repeatedly performing steps 2 through 5. You will be able to add more detail as you move through your application development life cycle and discover more about your application design.

Ff648246.f01tmwa01(en-us,PandP.10).gif

Figure 1. The iterative threat modeling process

The five threat modeling steps are:

  • Step 1: Identify security objectives. Clear objectives help you to focus the threat modeling activity and determine how much effort to spend on subsequent steps.
  • Step 2: Create an applicationoverview. Itemizing your application's important characteristics and actors helps you to identify relevant threats during step 4.
  • Step 3: Decompose your application. A detailed understanding of the mechanics of your application makes it easier for you to uncover more relevant and more detailed threats.
  • Step 4: Identify threats. Use details from steps 2 and 3 to identify threats relevant to your application scenario and context.
  • Step 5: Identify vulnerabilities. Review the layers of your application to identify weaknesses related to your threats. Use vulnerability categories to help you to focus on those areas where mistakes are most often made.

Activity Summary Table

Table 1 summarizes the threat modeling activity and shows the input and output for each step.

Table 1: Activity Summary with Input and Output

Input Step Output
  • Business requirements
  • Security policies
  • Compliance requirements
Step 1: Identify security objectives
  • Key security objectives
  • Deployment diagrams
  • Use cases
  • Functional specifications
Step 2: Create an application overview
  • Whiteboard-style diagram with end-to-end deployment scenario
  • Key scenarios
  • Roles
  • Technologies
  • Application security mechanisms
  • Deployment diagrams
  • Use cases
  • Functional specifications
  • Data flow diagrams
Step 3: Decompose your application
  • Trust boundaries
  • Entry points
  • Exit points
  • Data flows
  • Common threats
Step 4: Identify threats
  • Threat list
  • Common vulnerabilities
Step 5: Identify vulnerabilities
  • Vulnerability list

Start | Previous | Next

patterns & practices Developer Center

Retired Content

This content is outdated and is no longer being maintained. It is provided as a courtesy for individuals who are still using these technologies. This page may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.