DEV Community

DaNeil C
DaNeil C

Posted on

6

Pentesting Report: Attack Narrative Series Part 2: Threat Modeling

During my time at Flatiron School I created a password manager for my final project. Though a seemingly simple task, this threw me for a fun loop into authentication and cryptography; and now it is time to test it.
This is part 2 in an ongoing series as I complete the pentest report of the application I built. This series is meant to supplement the actual report that doesn't need the step-by-step breakdown that this will cover.


Part 2: Threat Modeling

This step is part of the main recon as well as the step after this on Research and Exploitation. A threat model is a visual representation of the flow of data in an application that is used to identify gaps in security and vulnerable points, also as well help to categorize and prioritize the threats found during a penetration test. Therefore, when reporting mitigation recommendations it helps by bridging the gap between developers and security experts and allows everyone to have knowledge and awareness, though documentation, of all the identified and rated threats for a project.

~For this penetration test the threat model will be used as a guide and will be modified with as the findings of the penetration test are filled in.~

  • The STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service) approach will be used through the open source tool from OWASP, Threat Dragon. STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service). Alt Text
  • The ZAP Scanning Report will also be used to help identify any associated CWEs (Common Weakness Enumeration) and WASCs (Web Application Security Consortium).
  • A CVSS (Common Vulnerability Scoring System) will be used with the visual model to provide a way to capture the principal characteristics of a vulnerability and produce a numerical score (ranging from 0-10, with 10 being the most severe) depicting its severity. logo

Version: 1.0

Date: 06-03-2020
By: DaNeil Coutlhard
Notes: Base model made from information gathering phase as well as expected vulnerability points from a database. Database type is currently unknown.
Model: Alt Text


Happy Hacking

References

  1. https://wiki.owasp.org/index.php/Category:Threat_Modeling
  2. https://devops.com/threat-modeling-the-why-how-when-and-which-tools/
  3. https://www.geeksforgeeks.org/threat-modelling/
  4. https://insights.sei.cmu.edu/sei_blog/2018/12/threat-modeling-12-available-methods.html
  5. https://www.f5.com/services/resources/white-papers/f5-big-ip-platform-security
  6. https://owasp.org/www-community/Application_Threat_Modeling
  7. https://threatmodeler.com/threat-modeling-methodologies-overview-for-your-business/
  8. https://www.owasp.org/images/e/e9/Threat-Modelling_oct2017.pdf
  9. https://owasp.org/www-project-threat-dragon/
  10. https://threatdragon.org/
Please Note that I am still learning. If something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Image of AssemblyAI

Automatic Speech Recognition with AssemblyAI

Experience near-human accuracy, low-latency performance, and advanced Speech AI capabilities with AssemblyAI's Speech-to-Text API. Sign up today and get $50 in API credit. No credit card required.

Try the API

Top comments (0)

Sentry image

See why 4M developers consider Sentry, “not bad.”

Fixing code doesn’t have to be the worst part of your day. Learn how Sentry can help.

Learn more

👋 Kindness is contagious

Explore a sea of insights with this enlightening post, highly esteemed within the nurturing DEV Community. Coders of all stripes are invited to participate and contribute to our shared knowledge.

Expressing gratitude with a simple "thank you" can make a big impact. Leave your thanks in the comments!

On DEV, exchanging ideas smooths our way and strengthens our community bonds. Found this useful? A quick note of thanks to the author can mean a lot.

Okay