The latest articles on DEV Community by Anusha Reddy (@mailanushamn). https://dev.to/mailanushamn https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F839489%2F93374b1b-61d9-494d-acc6-bcd2832f2782.png https://dev.to/mailanushamn en Anusha Reddy Sat, 02 Apr 2022 15:20:14 +0000 https://dev.to/mailanushamn/the-5ws-of-threat-modeling-j58 https://dev.to/mailanushamn/the-5ws-of-threat-modeling-j58 <p><strong>What</strong>?<br> <em>Well, it’s a process which identifies security requirements, threats &amp; vulnerabilities. It helps in understanding the impact of threats and also quantifies their severity.</em></p> <p><strong>Why?</strong><br> <em>Because, it helps you spot design flaws early in SDLC which can be missed during code reviews or testing and keeps the attackers at bay.</em></p> <p><strong>When?</strong><br> <em>Typically during the design phase. But it’s never too late to know your flaws and rectify them for the future.</em></p> <p><strong>Where?</strong><br> <em>Hmm, I will tell you where you can create a Threat model diagram.<br> There are different tools which can be used like Cairis, IriusRisk, Kenna, Microsoft Threat Modeling Tool etc.</em></p> <p><strong>Who?</strong><br> <em>Usually one or more members of security team along with the engineering team participates in this process.</em></p> <p><strong>Ok, now that we know what it is, how to do this?</strong></p> <ol> <li><p><em>You need to know what you are trying to accomplish through your software. Basically</em>, <strong>Set objectives</strong>.</p></li> <li><p><em>You know what you want</em>, <strong>Visualise</strong> <em>how to do it</em>. <em>Design the architecture of your application</em> .</p></li> <li><p><em>Now, think about what could go wrong</em>. <strong>Identify threats</strong>. <em>This is where the threat modeling tools come in handy</em>. <em>If you represent your architecture through a threat model diagram</em>, <em>it identifies the threats and gives possible mitigations</em>.</p></li> <li><p><em>You have a list of threats, what are you going to do about it? The obvious choice is to</em> <strong>Mitigate</strong> <em>them</em>.</p></li> <li><p><em>Did you do a good job in fixing them</em>? <strong>Validate</strong>.</p></li> </ol> <p><strong>Easy with an example</strong>?</p> <p><em>Consider a sample Order application whose objective is to create an order request</em>.</p> <p><em>Lets visualise the design</em></p> <ul> <li> <em>We need a Web API to receive the request from the client</em>.</li> <li> <em>Web API communicates with Order service</em>.</li> <li> <em>Order service communicates with a database to store the request</em>.</li> <li> <em>To identify threats</em>, <em>I have used Microsoft Threat Modeling Tool to create a threat model diagram</em>. <em>The tool analyses the design</em>, <em>spots the security threats and vulnerabilities and also gives possible mitigations</em>.</li> </ul> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--AuJfzYk6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/93mtef3dxb2mze4eai75.PNG" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--AuJfzYk6--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://dev-to-uploads.s3.amazonaws.com/uploads/articles/93mtef3dxb2mze4eai75.PNG" alt="Image description" width="880" height="430"></a></p> <p><em>Once we mitigate a particulat threat</em>, <em>we can provide our justification in the justification column</em>.<br> <em>Once the justification is validated, we can change the state to mitigated</em>.</p> <p><strong>In conclusion</strong>, <strong>with this process we can identify the security flaws during the design phase</strong>, <strong>rectify them before the software release and prevent costly re-coding after deployment</strong>.</p>