User Account

All Pages

Thread risk analysis and modeling process

Assignment Help Database Management System
Reference no: EM13907184

The Thread Risk Analysis and Modeling Process

1. Assemble the threat-modeling team.
2. Decompose the application.
3. Determine the threats to the system
4. Rank the threats risk by decreasing risk.
5. Choose how to respond to the threats
6. Choose techniques to mitigate the threats
7. Choose the appropriate technologies for the identified techniques. A. Assemble the threat risk modeling team (less than 10)
Security person

Members of design, development, testing, documentation, sales teams;

Communicate the goal of the meetings: to find threats, not to fix them

The iterative process should not take for ever

Decompose the application

Create high level diagrams of system components

Iteratively decompose the previous diagram layer, making sure all important elements are captured (remember the threat tree example)

C. Determine the threats and countermeasures for system components

Determine the Threat Risks

Rank the threats risk by decreasing risk.

Choose how to respond to the threats

Choose techniques to mitigate the threats

Choose the appropriate technologies for the identified techniques.

B. Decompose the application. Create high level diagrams of system components

1. Use DFDs(Data Flow Diagrams)[1]
https://www.slideshare.net/starbuck3000/threat-modeling-web-applications
Slides 53- include DFD demos
Not easy (Developers, other stakeholders)

2. Use the Thread Risk Analysis and Modeling Tool from Microsoft (TRAM)

Wizard based
Makes easier for developers to build the Thread Risk Model
Ensures detailed information is retained
Helps with Knowledge sharing between projects
Evaluates the application vulnerabilities to create a prioritized set of countermeasures to measure and contain the risks.

B.2. Create high level diagrams of system components (continued)

The list of components and their interactions help suggest the threat trees

Define User Roles such as Administrator, User, Web Designer, Auditor

Define Data Groups: Define the logical data groups in your application based on the functionality in the application; for example Payroll Data, Authentication Data, Web Pages, Web Service Code

Define Data Access Control: List what a user can do in the application: create, read, update, and/or delete (CRUD) within that group and add conditions, if any

Define Components, Service Roles, and Identities and Select Component Relevancies:

B.2. Create high level diagrams of system components (continued)

The list of components and their interactions help suggest the threat trees
For technologies not listed in the attack library, import the attack library: Tools -> Attack Library -> Import.

Generate/Create Use Cases: Menu item: Tools -> Generate Use Cases. The cases are based on the information from the previous steps.

Define CALLS: Detail each use case with its appropriate call structure: data sent/data received and authorization entries. You can copy/paste or drag/drop calls from one use case to another. Check each use case by looking at Call, Data and Trust flow Visualizations

) Determining Threats Risks and Countermeasures

Generate and Evaluate Threats: Tools -> Generate Threats, click "OK" to generate threats. Then evaluate each threat risk by selecting appropriate risk factors and risk response.

Use DREAD for evaluation.

Refresh Countermeasures: Tools -> Refresh Countermeasures, will identify countermeasures for each threat.

Analyze the Threat Trees

Customize Metadata: Tools -> Options -> metadata Editor

Download and install the TAM tool. Perform Threat Risk Modeling of the Payroll Application[1] using TAM. Submit 10 slides different than the slides given here as sample.

Provide at last 6 Analytics, Visualization or Reports Results including customization and additional configuration screens.
Check slides 4 for TAM tool and instruction

SwSecurity Design Best Practices

Addressing STRIDE concerns

Spoofing(Impersonation) vs Authentication

Spoofing(Impersonation) vs Authentication
Attacker steals or guesses another user's credentials
Attacker changes Session Cookie's content to make it appear as coming from another user or another server

Spoofing Countermeasures

Implement strong authentication
Use Operating system frameworks
(e.g.) Kerberos
Use Encrypted Session cookies
Use Digital Signatures

Weaknesses(Spoofing)

Using unencrypted credentials
Storing credentials in cookies/ parameters
Self-designed/unproven authentication methods
Authentication to the wrong trust domain

Tampering vs information integrity
WebSite Defacement
Changing data in transit

Tampering Countermeasures

Use operating system security to lock down files, directories, other resources
Validate and Sanitize input data
Encrypt/sign data in transit (SSL/ IPSec)

Weaknesses(Tampering)

Using data sources without validation
Running with escalated privileges
Unencrypted Sensitive data
Missing Input Validation

SwSecurity Design Best Practices

Attachment:- HomeWorkSecurity.rar

Reference no: EM13907184

Questions Cloud

Size of an uncompressed text : Suppose the size of an uncompressed text file is 1 megabyte. How long does it take to download the file over a 32 Kilobit per second modem? How long does it take to take to download the file over a 1 megabit per second modem?
What barriers to success might people with disabilities : What barriers to success might people with disabilities
Should the company accept the special order : Prepare a report to management explaining the findings for the situations described above. Include in the report a description of the steps that the company should the following to make these short term decisions. Explain the importance of develop..
Terms of the difference : A typical password is about 8 characters long (and so can be stored in 8 bytes, or 64 bits). However, a typical key for encryption/decryption is much longer, and a key of 64 bits would not be considered secure. Explain this in terms of the differe..
Thread risk analysis and modeling process : Determine the threats and countermeasures for system components and determine the Threat Risks - Decompose the application. Create high level diagrams of system components
Prepare the material price variance : After computing the individual variances, are there any variances that need to be investigated given the assumption that any variance in excess of 1% should be investigated? Explain.
Event model for marketing purposes : Many web sites make vigorous (over) use of many of the events in the dynamic HTML event model for marketing purposes. In some cases, one URL call may open 10 or more other Windows.
Arithmetic instructions and a branch instruction : A computer system is using pentium-5 processor with 5 stages in pipeline processing with cycle time of 5ns, whereas another computer system is using pentium-7 processor with 7 stages in pipeline processing with cycle time of 3.75 ns.
Find example most current year in each of funds were used : discuss when the government and nonprofit organizations would use each of the following funds:- Capital projects fund and Debt service fund

Reviews

Write a Review

Database Management System Questions & Answers

  Implementation of oilco and exploreco

1. Compare and contrast the implementation of OilCO and ExploreCO. 2. What were the similarities and differences between the two implementations?

  Create the primary key and foreign keys using a uml class

In order to move forward, the local university will need to develop a data model that will retain student records and perform various data extract transform and load (ETL) processes.

  Database management systems

Referential integrity "rules" trigger some cleanup of your data when insertion, update, or deletion events would typically cause data anomalies. But the word "trigger" has its own place in database design and implementation. Research the concept o..

  Apply and consolidate skills acquired in the requirement

Develop a domain model for the car park system. Express your model with a class diagram, showing any inheritance and compositional relationships.

  Data protection and security

Discuss ways that the IT organization can counter the negative impacts of social networking. Explain how the IT organization can maintain an ethical posture while managing organizational behavior related to social networking.

  Dependencies can you infer does not hold over relation s

From the JD, the set of relation schemes SP, PJ, and JS is a lossless-join decomposition of SPJ. Construct an instance of SPJ to illustrate that no two of these schemes su?ce.

  Draw an entity relationship diagram (erd)

Draw an entity relationship diagram (ERD) for the following situation: A company has a number of employees.  Each employee is identified by an Employee_Id.  The company wants to store Employee_Name, Employee_Address, and Employee_BirthDate in the dat..

  Your company has put in the request for a new database

your company has put in the request for a new database system and you have been tasked with architecting the security

  Construction of a subquery in ms access

What is the difference between the information provided by the E-R Diagram and the data dictionary?

  Implementation of information gathering component

Based on the pseudocode developed in Subtask 1.1, you are to implement the Information Gathering Component in this task.

  Write a memorandum to sam jones

Write a memorandum to Sam Jones (CIO) and present your research findings. Your memorandum should be no longer than 500 words.

  Provision of organization data

Provision of organization data and access on an organizational website.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd