DevSecOps Threat Modelling Implementation on Simple Web Application

Executive Summary

When designing software or applications, an assessment needs to be carried out to find out what threats may arise. One way is to do threat modeling. Threat modeling is a proactive process of looking for threats in a software or application. When creating software or application models, we usually use two types of models: the model of what will be built, and the model of any threats that may arise.[1]

Requirements

The security goal of this exercise:

Determine the appropriate threat modeling approach and method to do threat modeling before the implementation of DevSecOps.
Can identify threats early and carry out mitigation to reduce the consequences of these threats.

Below are the requirements needed to implement threat modeling using STRIDE:

Information relating to applications, services, and topologies used
Approach method
Framework
Threat modeling tool
Data flow diagram

Threat Modeling Approach & Framework

Research

In carrying out threat modeling, three approaches can be used according to OWASP as follows:

Application-centric approach: visualizing the application.
Asset-centric approach: identified by the list of assets.
Attacker-centric approach: using attacker perspective.

After researching several of these approaches, I chose an application-centric approach by considering the data that can be taken as a reference for threat modeling.

Next, determine the framework that can be used with an application-centric approach. I researched several frameworks available for threat modeling. The following are some of the currently available frameworks for threat modeling:

LINDDUN
Attack Trees
TRIKE
STRIDE
VAST Modeling
PASTA
Persona non-Grata
Quantitative TMM
hTMM
CVSS
OCTAVE
Security Cards

Next, I mapped the framework based on the approach, and the following results were obtained:

Asset-centric: STRIDE, LINDDUN, Security Cards, Quantitative TMM, VAST Modeling, OCTAVE, PASTA.
Attacker-centric: PASTA, Persona non-Grata, hTMM, TRIKE, Attack Trees.
Application-centric: STRIDE, CVSS, Attack Trees, Security Cards, VAST Modelling, OCTAVE.

The following are the results of comparative research from several of the frameworks above.

Methods	Pros	Cons
STRIDE	Most mature Easy to use Provides a structured approach to identifying and categorizing threats Can use tools Comprehensive coverage (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege)	Time consuming Pretty complex
PASTA	Realistic threat scenarios Provides a structured approach to identifying and categorizing threats Adaptable to various development methodologies Provides a structured methodology with seven stages (Define, Scope, Identify, Assess, Respond, Monitor, Report)	Lack of tooling support Complex Potential to overwhelm Resource intensive
LINDDUN	Easy to use Scalable and can be adapted to different project sizes and complexities Integration with Privacy Concerns	Limited scope Less comprehensive Needs expertise Lack of tooling support
CVSS	Standardized scoring Integration with Vulnerability Management Community support and resources Widely Adopted	Focus on technical factors Complex Limited coverage of threats Subjectivity in scoring
Attack Trees	Visual representation Flexible Scenario exploration	Complex Resource intensive Difficulty in quantification Maintenance overhead
Persona non-Grata	Focus on threat actors Realistic scenarios Alignment with risk management Contextual understanding	Complex Resource intensive Limited scope
Security Cards	Rapid prototyping Flexible customization Easy to understand	Limited details Lack of standardization Limited scalability Dependency of facilitation
hTMM	Human-centric approach Realistic threat scenarios Mitigation of social engineering attacks	Complex Resource intensive Limited coverage of technical threats Dependency on user involvement
Quantitative TMM	Cost-benefit analysis Optimize for risk management Communication with Stakeholders Numerical risk assessment	Complex Assumption dependency Modelling limitations Resistance to adoption
TRIKE	Structured approach Integration with existing practices Community support	Complex Resource intensive Dependency on knowledge bases Limited coverage of emerging threats
VAST Modeling	Easy to understand Simplicity Alignment with development processes	Lack of details Limited coverage Resource intensive
OCTAVE	Comprehensive approach Tailored to organizational context Integrated with Risk Management Holistic perspective	Complex Resource intensive Documentation overhead Limited scalability

In determining the approach and method, the following are the criteria I determined for making the selection:

Easy to use
Using data/information that is easier to obtain
Can use tools
One of the mature frameworks

Based on the criteria above and the results of comparative research on several approaches and frameworks, the application-centric approach using the STRIDE framework was selected which meets all the specified criteria. Below is a threat modeling framework using STRIDE.

Design & Prototype

This is the design for doing threat modeling.

Conducted research into several threat modeling approaches and processes.
Determining the threat modeling approach and method based on research results to determine which is suitable.
Determining the scope for threat modeling in the internal environment.
Information collection for the selected scope environment.
Creation of Data Flow Diagrams.
List identified threats using STRIDE methodology and Microsoft Threat Modeling Tools.

Testing & Implementation

Scoping

The following are the testing conditions and implementation of this exercise with the scope of a simple Web Application environment for the DevSecOps threat modeling exercise.

Information Collection

Below is an example of simple web application architecture topology.

Architecture topology.
List of Applications/Service
- User browser (Chrome, Mozilla, Edge, etc.)
- HTTPS
- Web applications
- API
- Web service
- Database server

Data Flow Diagrams

The first step is to create a Data Flow Diagram (DFD). DFDs play a fundamental role in threat modeling by providing a clear visual representation of how data moves through a system. Their primary function is to help analysts and security teams identify potential threats and security vulnerabilities within an application's architecture.

Threat Model Summary

Total Threats: 31

Threats List

After creating the DFD, we identify potential threats to each element using a structured approach with the STRIDE method.

In the table created, we can enter information such as Threat, Category, Description, and Priority.

Threat: Contains the types of attacks that can be used by attackers according to the elements used.
Category: Attack categories based on STRIDE elements (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege).
Description: Detailed explanation regarding attack activity.
Priority: Priority in carrying out repairs is based on the severity level of the risk value of each type of attack. Determining the risk value can be calculated using the CVSS (Common Vulnerable Scoring System) calculator independently, referring to companies that have already carried out calculations, or from CVEs that have been publicly released.

API (Web App - Web Service)

No	Threat	Category	Description	Priority
1	Web Application Process Memory Tampered	Tampering	Web applications can tamper with web services if given memory access.	Critical
2	Replay Attacks	Tampering	Packets without sequence numbers can be intercepted and retried in other ways.	Medium
3	Collision Attacks	Tampering	Attackers can overlap data by sending a series of packets.	Medium
4	Weak Authentication Scheme	Information Disclosure	Vulnerable to common weaknesses in authentication	High
5	Elevation Using Impersonation	Elevation of Privilege	Web services can seek additional privileges by imitating the context of a web application	High

API (Web Service - Web App)

No	Threat	Category	Description	Priority
1	Web Service Process Memory Tampered	Tampering	Web service can tamper with web applications if given memory access.	Critical
2	Cross-Site Scripting (XSS)	Tampering	If the input is not properly sanitized, web applications can be subject to XSS attacks.	High
3	Elevation Using Impersonation	Elevation of Privilege	Web services can seek additional privileges by imitating the context of a web application	High

Database Request

No	Threat	Category	Description	Priority
1	Spoofing of Destination Data Store Database	Spoofing	An attacker can spoof the database which can cause data to be written to the target.	High
2	Potential SQL Injection Vulnerability for Database	Tampering	SQL injection is a type of cyber-attack that targets web applications by exploiting vulnerabilities in their SQL database interactions	High
3	Potential Excessive Resource Consumption for Web Service or Database	Denial of Service	Attacks that use resource consumption are possible when the web or database controls resources by taking explicit steps.	Medium
4	Weak Credential Storage	Information Disclosure	Credentials on the server can be exposed, and credentials on the client can be stolen.	High
5	Risks from Logging	Tampering	Log files can be used to attack the log readers	Medium
6	Lower Trusted Subject Updates Logs	Repudiation	Too many people writing logs can be a problem in repudiation.	Medium
7	Data Logs from an Unknown Source	Repudiation	Logs from unknown external users must be identified	Medium
8	Insufficient Auditing	Repudiation	Log data that is not captured properly will complicate the audit process.	Medium
9	Potential Weak Protections for Audit Data	Repudiation	Attacks on audit mechanisms such as log deletion may occur.	High

Database Response

No	Threat	Category	Description	Priority
1	Spoofing of Source Data Store Database	Spoofing	An attacker can spoof the database which can cause data to be written to the target.	High
2	Weak Access Control for a Resource	Information Disclosure	Confidential information may be read by attackers if database protection is not performed properly.	High
3	Risks from Logging	Tampering	Log files can be used to attack the log readers	Medium

HTTPS (Browser - Web App)

No	Threat	Category	Description	Priority
1	Cross-Site Scripting	Tampering	If the input is not properly sanitized, web applications can be subject to XSS attacks.	High
2	Elevation Using Impersonation	Elevation of Privilege	Web applications can seek additional privileges by imitating the context of the user's browser	High
3	Potential Data Repudiation by Web Application	Repudiation	Web applications do not accept data from outside sources that are not trusted but this can happen without being noticed	Medium
4	Potential Process Crash or Stop for Web Application	Denial of Service	Web applications can experience several obstacles.	Medium
5	Data Flow HTTPS Is Potentially Interrupted	Denial of Service	External agents can disrupt data flow.	High
6	Web Application May be Subject to Elevation of Privilege Using Remote Code Execution	Elevation of Privilege	User browsers can be exploited using remote code execution exploits from web applications	Critical
7	Elevation by Changing the Execution Flow in Web Application	Elevation of Privilege	Data to a web application can be passed by an attacker to change the program flow.	High
8	Cross-Site Request Forgery	Elevation of Privilege	CSRF is a type of cyber-attack where an attacker tricks a user into performing actions on a web application without their consent or knowledge	Medium

HTTPS (Web App - Browser)

No	Threat	Category	Description	Priority
1	Spoofing of the User Browser External Destination Entity	Spoofing	An attacker can spoof a user's browser to send data to the attacker.	Medium
2	External Entity User Browser Potentially Denies Receiving Data	Repudiation	User browsers do not accept data from outside sources that are not trusted but this can happen without being noticed	Low
3	Data Flow HTTPS Is Potentially Interrupted	Denial of Service	External agents can disrupt data flow.	High

Conclusion & Lesson Learned

From the implementation of threat modeling for simple web applications, 31 threats were identified. All these threats still need to be validated later, to see which threats have been mitigated, and which ones have not.

The following are the advantages that I can take from doing threat modeling.

Early detection of security flaws
Improved understanding of the system
Enhanced risk management
Compliance and standards adherence
Informed decision-making
Enhanced communication and collaboration
Improved security posture
Increased confidence in doing business
Continual improvement
Reduced incident response costs

In summary, threat modeling is a strategic process that not only helps in identifying and mitigating security risks early but also improves overall system understanding, promotes better communication, ensures compliance, and enhances the security posture of an organization.

References

[1]
Adam Shostack - Threat Modeling: Designing for Security-Wiley (2014).
[2]
OWASP DevSecOps Guideline - v-0.2 | OWASP Foundation. Accessed: Apr. 08, 2024. Available: https://owasp.org/www-project-devsecops-guideline/latest/00b-Threat-modeling
[3]
L. Obiora Nweke and S. D. Wolthusen, A Review of Asset-Centric Threat Modelling Approaches, 2020. Available: https://ijacsa.thesai.org
[4]
M. J. Coles, Izar Tarandach & Threat Modeling: A Practical Guide for Development Teams.