PROACTIVE RISK
  • About
    • 800 lb Gorilla
    • Our Manifesto
    • Simple Agreements >
      • Mutual Confidentiality and Non Disclosure Agreement
      • Master Agreement | Work Order
    • BLOG
    • Capabilities Summary
    • Request Support
    • Contact Us
  • SOLUTIONS
    • Fractional CIO/CISO
    • Cyber Recruiter
    • Threat Modeling
    • Policies and Plans
    • MonitorIT®
    • Software Development
    • Domains | DNS
    • PhishIT®
    • MeasureRISK®
    • Vendor Risk
    • CATSCAN®
    • Physical Security
    • Backup Resiliency
    • ProtectIT®
    • ManageIT®
    • FINDIT® >
      • RAPTOR eDiscovery
  • RESOURCES
    • Tech News
    • Videos
    • Store
    • Guides | Tools
    • STAFF

GRAY BEARD BLOG

SHARING RANDOM THOUGHTS ON TECH

Threat Models help security

2/18/2023

 
Threat modeling is a process of identifying and analyzing potential security threats to a system or application. Here is a general process for threat modeling a custom web application connected to the internet:
  1. Identify the assets: Start by identifying the assets that need to be protected, such as sensitive data, intellectual property, or the web application itself.
  2. Identify the potential attackers: Identify the potential attackers, including their motivations and resources, such as hacktivists, insiders, or nation-states.
  3. Create a data flow diagram: Create a data flow diagram to map out the flow of data and information through the web application, including inputs, outputs, and storage locations.
  4. Identify potential threats: Identify potential threats to the web application based on the data flow diagram and the attackers identified earlier. This could include threats such as injection attacks, cross-site scripting, cross-site request forgery, or broken access control.
  5. Assess the likelihood and impact of each threat: Assess the likelihood and impact of each potential threat, taking into account the assets that need to be protected and the attackers that are likely to target the web application.
  6. Prioritize the threats: Prioritize the threats based on the likelihood and impact, and identify the ones that need to be addressed first.
  7. Develop mitigations: Develop mitigations to address the prioritized threats, such as implementing secure coding practices, using encryption, or adding access controls.
  8. Test the mitigations: Test the mitigations to ensure they are effective, including penetration testing, vulnerability scanning, or code reviews.
  9. Monitor and update: Continuously monitor the web application and update the threat model as new threats emerge or as the application changes over time.
Threat modeling is an iterative process, and the above steps may need to be repeated several times throughout the lifecycle of the web application. It is important to involve all stakeholders in the threat modeling process, including developers, security teams, and business owners, to ensure that all aspects of the application are considered and protected.

For more information on Threat Modeling, contact us.

    Tom Brennan

    This is my blog, there are many like it but this one is mine. Enjoy.

    View my profile on LinkedIn

    BLOG Archives

    March 2023
    February 2023
    January 2023
    December 2022
    November 2022
    August 2022
    April 2022
    August 2021
    March 2021
    January 2021
    August 2020

    Categories

    All
    CMMC
    COMMUNITY
    TECHTIP

    RSS Feed

Contact Info

Proactive Risk Inc.
Tel: +1 (973) 298-1160
Web: www.proactiverisk.com
eMail: sales(at)proactiverisk.com

CONTACT US
Picture
© COPYRIGHT 2023. ALL RIGHTS RESERVED.
  • About
    • 800 lb Gorilla
    • Our Manifesto
    • Simple Agreements >
      • Mutual Confidentiality and Non Disclosure Agreement
      • Master Agreement | Work Order
    • BLOG
    • Capabilities Summary
    • Request Support
    • Contact Us
  • SOLUTIONS
    • Fractional CIO/CISO
    • Cyber Recruiter
    • Threat Modeling
    • Policies and Plans
    • MonitorIT®
    • Software Development
    • Domains | DNS
    • PhishIT®
    • MeasureRISK®
    • Vendor Risk
    • CATSCAN®
    • Physical Security
    • Backup Resiliency
    • ProtectIT®
    • ManageIT®
    • FINDIT® >
      • RAPTOR eDiscovery
  • RESOURCES
    • Tech News
    • Videos
    • Store
    • Guides | Tools
    • STAFF