E-Commerce Threat Model using ThreatModeler



Similar documents
ClickView Digital Signage User Manual

Virtual Communities Operations Manual

Form Management Admin Guide

Business Process Management IBM Business Process Manager V7.5

NetIQ Operations Center 5: The Best IT Management Tool in the World Lab

SonicWALL SRA Virtual Appliance Getting Started Guide

Getting Started with the Aloha Community Template for Salesforce Identity

User s Guide For Department of Facility Services

USING STUFFIT DELUXE THE STUFFIT START PAGE CREATING ARCHIVES (COMPRESSED FILES)

owncloud Configuration and Usage Guide

Terminal Four. Content Management System. Moderator Access

Windows Firewall Configuration with Group Policy for SyAM System Client Installation

Deploying Physical Solutions to InfoSphere Master Data Management Server Advanced Edition v11

Installing and Configuring vcloud Connector

Bonita Open Solution. Introduction Tutorial. Version 5.7. Application Development User Guidance Profile: Application Developer

Application. 1.1 About This Tutorial Tutorial Requirements Provided Files

TECHNICAL TRAINING LAB INSTRUCTIONS

3dCart Shopping Cart Software V3.X Affiliate Program Guide

etoken Enterprise For: SSL SSL with etoken

Managing your Joomla! 3 Content Management System (CMS) Website Websites For Small Business

POINT OF SALES SYSTEM (POSS) USER MANUAL

Creating an Event Registration Web Page with Special Features using regonline Page 1

The Blackboard Content System: A Quick Start Guide

Does the GC have an online document management solution?

Install FileZilla Client. Connecting to an FTP server

Central Management Software CV3-M1024

WebEx Meeting Center User's Guide

Using WinSCP to Transfer Data with Florida SHOTS

ER/Studio Enterprise Portal User Guide

Query JD Edwards EnterpriseOne Customer Credit using Oracle BPEL Process Manager

NAS 225 Introduction to FTP Explorer

Shopping Cart Software

Grandstream Networks, Inc. GXV3175 IP Multimedia Phone GUI Customization Guide

SAS Marketing Automation 5.1. User s Guide

e-banking Short Presentation March 2009

Smart Business Architecture for Midsize Networks Network Management Deployment Guide

WEBTrader. User Guide

Setting up SMTP in Talis Decisions

Tutorial: Mobile Business Object Development. SAP Mobile Platform 2.3 SP02

JIJIS EMPLOYER PORTAL USER MANUAL

Outlook Profile Setup Guide Exchange 2010 Quick Start and Detailed Instructions

EBOX Digital Content Management System (CMS) User Guide For Site Owners & Administrators

NetIQ Advanced Authentication Framework - MacOS Client

Comodo Endpoint Security Manager SME Software Version 2.1

A SHORT INTRODUCTION TO CYBERDUCK WITH CLOUD OBJECT STORAGE. Version

How to Create Your Own Crystal Report

SECURE MOBILE ACCESS MODULE USER GUIDE EFT 2013

Module 1. 4 Login-Send Message to Teacher

Windows 8.1 Tips and Tricks

Tutorial: Mobile Business Object Development. Sybase Unwired Platform 2.2 SP02

DocuSign Quick Start Guide. Using Templates. Overview. Table of Contents

How To Create A Powerpoint Intelligence Report In A Pivot Table In A Powerpoints.Com

Managing Qualys Scanners

Table of Contents. Welcome Login Password Assistance Self Registration Secure Mail Compose Drafts...

Using the Content Distribution Manager GUI

Release 2.0. Cox Business Online Backup Quick Start Guide

The Smart Forms Web Part allows you to quickly add new forms to SharePoint pages, here s how:

Accessing Personal Web Folders Macon State College

Tutorial: Using Get Response to Add an Opt-In Box to Your WordPress Site

Tutorial: Mobile Business Object Development. SAP Mobile Platform 2.3

Website Creator Pro Quick Reference Guide. Version: 0.5

EMC Documentum Business Process Suite

Joining an XP workstation to a domain Version 1.00

Document From MAXIMUM BUSINESS INFORMATION TECHNOLOGY ON A. OwnCloud User Manual. TO I Cafe`

MY EWU PORTAL FEATURES AND BENEFITS. Promotion of the Eastern brand name

Learn About Analysis, Interactive Reports, and Dashboards

JBoss Portal 2.4. Quickstart User Guide

F-Secure Messaging Security Gateway. Deployment Guide

Remedy ITSM Service Request Management Quick Start Guide

Microsoft Dynamics CRM Clients

IBM Business Monitor V8.0 Global monitoring context lab

1. Right click using your mouse on the desktop and select New Shortcut.

ECA IIS Instructions. January 2005

Installing and Configuring vcloud Connector

Installing Remote Desktop Connection

Agency Manager Professional Software Manual

Using SSH Secure Shell Client for FTP

How to Add Social Media Icons to Your Website

FILING REPRESENTATIVES TRAINING ONLINE COURSE SCHEDULING USER GUIDE

How to setup a VPN on Windows XP in Safari.

TIBCO ActiveMatrix Service Bus Getting Started. Software Release 2.3 February 2010

Cloud Services ADM. Agent Deployment Guide

PassKey Manager. Schoolwires Centricity

Microsoft Lync TM Order & Provisioning. Admin Guide

ASNA DataGate Studio Working with Connections

Livezilla How to Install on Shared Hosting By: Jon Manning

ilaw Installation Procedure

Oracle Service Bus Examples and Tutorials

Using the Adventist Framework with your netadventist Site

Intranet Website Solution Based on Microsoft SharePoint Server Foundation 2010

Pcounter Web Administrator User Guide - v Pcounter Web Administrator User Guide Version 1.0

Logi Ad Hoc Reporting System Administration Guide

Anti-Executable Dashboard. Last modified: August 2012

How To Connect Your Event To PayPal

USING MS OUTLOOK. Microsoft Outlook

DaRIS portal visual user guide

How to generate an APNs Certificate to use the Apple MDM protocol via the portal

Windows Clients and GoPrint Print Queues

Elementary Website Management December 2013

Transcription:

Table of Contents Introduction:... 2 Web Application details:... 3 Building a Threat Model Diagram:... 4 Cool Car Company Example:... 5 Managing and Analyzing Threats:... 6 Example:... 6 Identify Data Elements:... 7 Identify Roles:... 7 Identify and build a Application component library:... 8 Table of Figures Figure 1 New Threat Model Wizard... 3 Figure 2 Component Properties... 5 Figure 3: Cool Car Company Threat Model... 6 Figure 4: Cool Car Company Threat Analysis... 6 Figure 5 Manage Data Elements... 7 Figure 6: Cool Car Company Technology Stack... Error! Bookmark not defined. 2012 MyAppSecurity Inc. All Rights Reserved. Page 1

Introduction: ThreatModeler allows users to capture the entire flow of the application, and define certain properties based on which it automatically generates threats and classifies them under various risk categories. Its simple to use navigation wizard help users to enter the required information they will need to get started with their application and create the threat profile of the application. ThreatModeler provides a mind mapping approach to threat modeling, allowing the user to decompose the application just like they do it on the drawing board but at the same time provide features that a drawing board cannot. User can define the communication channel (protocols) between different components; assign data elements and widgets (like Form, URL, Cookie, Session, etc) to these components. Once a user has completed the component diagram, ThreatModeler has an intelligent threat engine, which automatically identifies threats based on the information provided and automatically prioritizes the threats based on risk. This article helps you create a threat model for an E-Commerce application using ThreatModeler and evaluate how it meets your application security needs. Page 2

To begin evaluation the user will require the following information: Web application details Infrastructure stack that the application will be deployed on Decoupled functional components that the application is comprised of Data that the application processes Users who work with the application and their permissions Web Application details: Identify a web application which typically can be designed in a week or two. Things to identify at this step include: URL Web Application Owner Risk Category Technology Framework (.NET/Java) ThreatModeler provides a wizard to enter these details. An organization can also save threat model templates which can be used to speed up the process of creating a threat model. In this example the e- commerce application involves selling components for automobiles and is named Cool Car Company. Figure 1 New Threat Model Wizard Page 3

Building a Threat Model Diagram: The Whiteboard is a simple drag-and-drop diagramming interface. The user creates a high level architecture of the application by using various components and interconnecting them by arrows which represent the communication protocol between them. To the left of the screen is the Component Palette. The various icons in the Palette are the components that represent a feature of an application. The user can drag a component onto the canvas from this palette Once several components are placed on the canvas, they can be linked to each other. Take the mouse cursor to the center of a component inside the box. Click and drag the mouse to the other component. Right-click the interconnecting arrows to change the communication protocol. Select a component and click the property panel at the right of the screen. Property window has several tabs to describe the component in detail o Select the data elements that are used by this associated with the component. o Select the roles that with permission to access or use this component o Select the Widgets that will be a part of this component along with the backend they will interact with. For e.g. A login page will have a form that might interact with the database at the backend to validate the password. o Assign Business Requirements if any to this component. o Select a Deployment component on which this component is deployed. o Mark the checkbox if the component is a Protected resource i.e. accessible only after authentication. o You can add notes for reference later or to capture your thoughts on component specific details. o You can view those threats by clicking on View Threats in the right-click menu which shows up another screen with all the threats listed in tabular format for this component. o From this table, you can view further threat details, mitigation steps and add comments. Page 4

Figure 2 Component Properties Right click a component and select View Attack Trees to display threats for this component in a graphical representation. Cool Car Company Example: For our sample E-Commerce Application, the figure below illustrates a threat model of its high level architecture and data flow via the links: Page 5

Figure 3: Cool Car Company Threat Model Managing and Analyzing Threats: Once you have built the component diagram and defined properties, you can go to Dashboard>Threat Management Console. This will bring up a screen which will show you all the threats to the entire application. You can group them by components or by threats via Group by drop down menu at the top of the screen. You can change the status, add or review comments to a threat through this interface. Example: The following figure illustrates the Threat Management Console grouped by Components. Figure 4: Cool Car Company Threat Analysis Page 6

Identify Data Elements: Click Data Elements under the Library tab Review all the Data elements that are provided by ThreatModeler to make sure everything you need is available If you have data elements not in the list, click on Add Data Elements (arrowed below). Figure 5 Manage Data Elements You can add as many Data Elements to the list. When you add a Data Element, specify the classification of that data for ThreatModeler to apply appropriate rules on that data. Identify Roles: 1. Identify the various roles in your organization which may have access to the web application. 2. Below are the various roles typically associated with most applications a. Registered User, b. Unregistered User, c. Admin, d. Maintenance. (Clarify if the maintenance is done under admin account in which case we won't need the maintenance role). 3. If a role doesn t exist in the list, you can add a new role by clicking Roles under Library for others that you would like to add. Page 7

Identify and build an Application component library: Identify the various components that provide functionality to your application. ThreatModeler comes bundled with a list of components like Login, Logout, Registration, etc. these components represent individual features of your application. If a required component does not exist, you can add a new component by o Select Design Components under Library. o Enter the name of the component o Select an icon to represent the component. You can use the default icon for now in order to continue with the pilot. However, ThreatModeler does provide you a feature by which you can upload an icon which represents that component more appropriately. o Select the Associated Threats for that component. For reference, see Login component. Page 8

References: If you have any further questions or need any additional information feel free to contact us at sales@myappsecurity.com Page 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information