Friday, June 10, 2005
Threat Modeling Systems
With the increasing popularity of web applications to perform network related data transactions and other tasks , the need for security based design of applications has also increased .The various threats that an application faces while communicating with the server , clients and other web applications need to be identified to make the design more secure and less prone to vulnerabilities .Thus identification and resolution of such threats in web application is as important as the basic logic involved in it . Threat modeling is actually an engineering technique of developing highly secure web applications functioning in threat prone areas . Threat modeling approach aims at identifying security objectives and prominent threats . This modeling technique is carried out as an iterative procedure involving identification of serious threats , the point of occurrence of threats , how it disrupts the flow of logic, the way the logic is deviated from the path of achievement of security objectives , the state where the application tends to become inconsistent , etc,.
To identify the exact location where the threat is more prominent , decomposition of the application is necessary . This can also aid in the debugging required for modeling . This procedure should be applied in an iterative manner to successively generate better models and to identify the best model that resolves the threat completely.
Threat modeling is needed to reduce risks and to identify where the threats occur, kind of threats , their effects , and to know exactly the stability of web applications . Incremental threat modeling technique is required to develop secure applications with riskfree design such a design would require less maintenance .
The application should use cases and roles to identify serious threats and vulnerabilities because different application types, application usage, and roles can yield different threats and vulnerabilities. Relevancy is provided by Context-precision. Context precision means being specific about the context, application type, and application scenario to increase information relevancy. To ensure that the whole task of threat modeling gets completed in a finite amount of time there is a necessity to provide criteria for entry and exit to watch when the application is completely perfect(good).In addition this approach can be used as a communication and collaboration tool in different phases of application development ( design , coding , deployment , testing , marketing ) and more importantly in documentation to provide more information to the clients about the various threats in the personalized domain of the application. Categorized threat modeling is also a useful strategy to promote reuse of information and effective communication . Pattern based search techniques can be used to identify similar threats and categorize the solutions . This has indirectly led to the classification of threats which can be used in modeling the application more effectively .
Threat modeling can be either manually applied during or after application development . Alternatively an automata ( modeling application) can be designed to model these web applications to achieve precise security objectives . This kind of modeling application can identify the occurrence of threats , their kind and suggest measures (best ) to model the application or it can handle the application as a whole and resolve the threats .Hope the future sees web with threat free applications .
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment