Under Information Security Threat Modeling understands the process of forming a security threat model information. Information Security Threat Modeling are performed to identify potential security threats information that arises from the use of the software and due to its design (architectural) features (for example, due to design errors), and design refinements program architecture prior to development/updating of the source code programs. Information Security Threat Modeling performed by applying modeling methodology (enumeration) threats to information security.
Existing threat modeling methodologies information security generally allow you to list threats security information based analysis:
– data streams transmitted between program components and/or elements of the environment of its operation;
– a list (library) of typical information security threats;
– information security threat trees.
Depending on the methodology used, the initial data for modeling information security threats are:
- information related to typical scenarios computer attacks and typical security threats information relevant to the software being developed;
- scenarios for using the developed software and user requirements for it;
- information about the project architecture of the program (intended program components and their interfaces, the concept of their joint functioning, a list components borrowed from third-party software developers).
Depending on the experience and practical skills of employees, carrying out modeling of information security threats, they can use the original information of one or several types. In the early stages of implementing measures to develop secure software, the software developer should use both minimum information related to typical scenarios computer attacks and typical security threats information relevant to the software being developed. As Gaining experience and practical skills in threat modeling information security source information should be supplement with scenarios for using the developed software, user requirements for the developed software, information about the program architecture design.
Common Attack Scenarios and Security Threats information should be analyzed to determine their applicability to the developed software, taking into account its characteristics (for example, programming languages used in development and technology) and characteristics of the intended environment of its operation.
As sources of information containing typical scenarios of computer attacks and information security threats, can be cited: Databank of information security threats of the FSTEC of Russia, Open Web Application Security Project (OWASP) publications, such as “Top 10 Most Critical Web Application Security Risks” publication.
Use cases for developed software and requirements presented by users should be analyzed with in order to identify information security threats related to fulfillment of these requirements and scenarios by the developed software. The analysis should be performed taking into account the developed model violator.
Identification of information security threats based on information about the program architecture project is performed by analysis of data flows transmitted between components program and (or) elements of the environment for its operation, or information about known vulnerabilities in borrowed third-party developers of software components.
Typical actions performed in preparation for implementing a measure to develop secure software ensure
In preparation for the implementation of a measure to develop a safe The software developer needs to:
a) investigate the software developer’s existing processes in boundaries of the scope of measures to develop a safe Security Threat Modeling Software information;
b) select (clarify) and describe the modeling methodology (listing) information security threats. When describing the methodology used information security threat modeling developer can give a link to a source of information containing a description of the methodology modeling information security threats.
c) select and install in the software development environment tools for implementing measures to development of secure software, taking into account the recommendations, presented in Appendix B;
d) determine the procedure for collecting initial information, necessary to perform threat modeling, taking into account the need to perform the following typical actions:
1) collect information about the scope software being developed and the type of information being processed;
2) collect information about the project architecture of the program (intended program components and their interfaces, the concept of their joint functioning) and information about elements of the software operating environment with which to integrate (to function together) software being developed;
3) create a list of borrowed from third parties developers of software components intended for use in software development.
e) determine the order of development and documentation intruder models. The development of the intruder model is carried out with the purpose of determining the types of violators, their motivation and opportunities for implementation of information security threats. Intruder model in further used to identify threats to information security, that may arise from the use of the software. When developing a model offender should take into account:
* the scope of the developed software (for example, the class security of the information system in which it is planned use of the developed software);
* the type of information processed by the software (for example, personal data, information containing information constituting the state secret or public information).
Development of the intruder model taking into account the features developed software and its operating environment is more preferred over the use of previously created and unmodified intruder models developed without taking into account these features.
f) determine the order of security analysis components borrowed from third-party software developers, intended for use in software development, with taking into account the need to perform the following typical actions:
1) evaluate the proposed for use in the development Software components borrowed from third-party developers software, and select the components whose use is not lead to a deterioration in overall security developed software;
2) document and keep up to date (i.e. when changing the third-party components used and/or their versions, the relevant information should be document) the results of the analysis and justification choice;
g) determine the procedure for identification and documentation threats to information security, taking into account the need performing the following typical actions:
1) in accordance with the chosen methodology information security threat modeling identify and document security threats information relevant to the software being developed;
2) check the wording of documented threats information security in terms of their adequacy software being developed;
When documenting the list of identified potential threats to information security for each identified information security threats should be indicated: unique identifier and wording of the information security threat. For documenting information security threats is recommended use developer-created threat model templates information security (if any).
h) determine how documented threats are handled information security, taking into account the need performing the following typical actions:
1) analyze each documented threat information security in order to determine the strategy its processing;
2) for each information security threat, perform documenting the processing strategy;
3) check the wording of documented strategies processing information security threats in terms of their adequacy to the developed software;
i) define a procedure for periodic review, and review of documented security threats information, taking into account the need to perform the following typical actions:
1) determine the events upon the occurrence of which analysis and revision of documented threats is performed information security;
2) when events occur, analyze documented information security threats and review the chosen processing strategy;
3) clarify the documentation of the software developer (project program architecture, program test plans) the results of the analysis and revision of documented information security threats.
Documented security threats information should be periodically reviewed and updated based on up-to-date information related to typical scenarios of computer attacks and information security threats, usage scenarios software being developed and the requirements for it users, program architecture project.
j) define the overall structure of the threat modeling process information security, including a general list of procedures and actions, recorded results, start time and time frames for procedures and actions;
k) appoint employees responsible for the implementation of the measure for developing secure software, familiarize them with the documentation related to implementing a measure to develop secure software.