Threat Modeling
Shift Left to Design for Security
Not all application security vulnerabilities come from coding errors. About half come in the form of software design flaws which will typically be unique to your applications, making them hard to find – in many cases impossible to find – with automated tools.
-
Trust Boundary Violations
-
Authentication Bypass
-
Commingling Data and Control Instructions
-
Improper Authorization
-
Inconsistent Input Validation
-
Misused Cryptography
-
Improper Sensitive Data Handling
-
Unsafe External Components
| ATTACK SCENARIO | COMPONENT(S) | ASSET(S) / CONTROL(S) | THREAT ACTOR(S) |
|---|---|---|---|
| Unauthorized disclosure of Password hashes and salts | Single sign-on | Credential key-value store MFA for administrators, comprehensive audit logs for admin access | Compromised or malicious insider |
| Hijacked service container used to abuse credential injection with attempts to establish persistence. | Worker node | Encryption keys Hashicorp Vault | Compromised service or cloud based actor |
| Malicious third party service abuses trust relationships between microservice tiers. | Microservices API | Customer data API tokens, rate limiting | Third party service |
Whether applied early or late in a project’s lifecycle, NetSPI uses threat modeling to provide extensive, context aware remediation guidance for hard-to-fix defects in the design of software. Additionally, threat modeling can be applied iteratively throughout the lifetime of an application to provide a constant value stream.
NetSPI provides you with an understanding of the current level of security in your software and its infrastructure components by:
- Interviewing key system stakeholders to understand business context, implementation details, and system risks
- Reviewing available documentation to gain a deeper understanding of the application
- Constructing a threat model diagram to facilitate analysis of attack scenarios and system vulnerabilities and risks
- Identifying threats to any vulnerabilities in the application
- Comparing your current security measures with industry best practices
- Providing recommendations that you can implement to mitigate threats and vulnerabilities and meet industry best practices
Leveraging the brightest minds in the industry, world-class technologies, and ability to think like real-world adversaries, NetSPI’s Threat Modeling helps you secure your entire attack surface through:
Finding vulnerabilities that other methods cannot.
Providing strategic insight into the threats and corresponding security features that matter.
Proactively preventing entire classes of vulnerabilities from existing.
Eliminating wasteful security activities and features.
