Practical Threat Analysis for the Software Industry

{LANG_NAVORIGIN} Vulnerability Management Risk Assessment
Ygor Goldberg 01/10/2005



"The Dark Tower had been rebuilt, it was said. From there the power was spreading far and wide, and away far east and south there were wars and growing fear. Orcs were multiplying again in the mountains. Trolls were abroad, no longer dull-witted, but cunning and armed with dreadful weapons. And there were murmured hints of creatures more terrible than all these, but they had no name."

J.R.R. Tolkien. The Lord of the Rings


Preface

This paper describes Practical Threat Analysis (PTA); a calculative threat modeling methodology and a CASE tool that assists software security analysts and software developers in assessing system risks and building the most effective risk reduction policy for their system.

What is threat analysis?
Threat analysis identifies threats and defines a cost-effective risk mitigation policy for a specific architecture, functionality and configuration. It involves the mapping of assets, modeling of threats and building of a mitigation plan that lowers system risk to an acceptable level. The mitigation plan is composed of countermeasures which are considered to be effective against the identified threats.

When should threat analysis be applied?
Threat analysis is required for:

• Complex software systems that integrate multiple infrastructures and technologies.
• Customized application solutions built on standard products.
• All other cases where it is unacceptable to implement pre-compiled “to-do” lists provided by a software vendor or standards committee.

Threat analysis should be used in the earliest possible stages of system design and thereafter as an ongoing process throughout the system’s lifecycle of development, integration, change requests and problem management.

The problem
Software development is always constrained by some combination of budget, time and resources and threat analysis usually ends up as a task to be done “later”. Threat analysis is a skill most programmers and managers lack which results in the task being done “never”.

The solution
By using PTA, analysts who are expert in the application domain can quickly build and analyze risk management models and policies without endangering the project schedule. Knowledge is retained, shared and maintained within the group and program management has total transparency to system risk without the need for additional resources.

What are the existing tools?
Word-Processor + Spreadsheet Documents – The analyst has the freedom to describe threats and vulnerabilities and express her analytical qualification in a free format with no restrictions dictated by the tool. However, the overhead of the data management and the calculation tasks is very high because of the lack of a built-in ability to represent the interrelations between entities and to dynamically alter the threat model. In reality the data model required for threat modeling is far beyond the capabilities of spreadsheet programs. In addition, most of these solutions also lack the necessary reporting functionality.

Checklist-Based Tools – These are tools that provide pre-defined sets of security recommendations that are used as checklists. This approach may work for standard applications where all possible security issues are known in advance. Most of these tools have reporting capabilities and usually come in two flavors:

• Questionnaire-based[1] in which the user is asked to answer a series of questions that reflect the embedded checklist.
• Template-based[2] in which the user is asked to distinguish the specifics of her application from the standard checklist.

Since this type of tool is based on lists of general purpose standard countermeasures, they are not flexible in supporting and encouraging the analyst to create new threat scenarios that are specific to her application.

Threat Modeling Tools – Microsoft’s[3] tool combines Schneier’s Attack-Trees methodology[4] with standard Microsoft Threat Classification[5] and has four important limitations:

• Doesn’t relate threats to financial losses caused by the attacks and does not rank countermeasures by their effectiveness and priority in reducing risk.
• Uses “pre-defined” cases and doesn’t easily fit application-specific threat scenarios
• Doesn’t provide a complete system view for threat analysis risk management.
• Limited reporting and collaborative capabilities

Introducing PTA

The PTA calculative methodology* and CASE tool enable effective management of operational and security risks in complex software systems by an existing team. It provides an easy way to maintain dynamic threat models that are capable of reacting to changes in the system’s assets and vulnerabilities. With PTA an analyst can maintain a growing database of threats, create documentation for security reviews and produce reports showing the importance of various threats and the priorities of the corresponding countermeasures.

PTA automatically recalculates threats and countermeasures priorities and provides decision makers with updated action item lists which reflect the changes in threat realities. Countermeasure priorities are expressed as a function of the system’s assets values, degrees of damage, threat probabilities and degrees of mitigation provided by countermeasures to the threats.

A software development team uses PTA from day one of design and throughout the system’s lifecycle. PTA provides intuitive and easy ways for iterative interaction between threat analysts and developers. It supports a collaborative process of evaluating threats risks and ranking the cost-effectiveness of proposed countermeasures. The team’s “threat analyst” can be the program/product manager, system architect or development lead who can start being productive with the CASE tool within hours.

* patent pending


How does PTA relate to security standards?

How does PTA relate to security standards and initiatives, such as ISO17799, BS 7799–2002, SSE-CMM, Octave, FIPS 199, GAISP, COBIT and others?

PTA complements existing standards and appraisal procedures by supplying means for the actual definition of threats, vulnerabilities and proposed countermeasures. It manages a well designed database of all relevant security entities and enables production of documentation for the evaluation procedures required by the standards.

Standards recommend procedures for organizations to follow in order to ensure information systems security. These recommendations include mapping of assets, vulnerabilities, threats and countermeasures, assessment of risks and implementation of risk mitigation plans. PTA provides the actual means for performing these tasks in a productive way.

Some standards provide lists of numerous recommended countermeasures that should be implemented. These lists may serve the analyst as a baseline of definitions of common vulnerabilities and countermeasures and can help him in grasping the terminology. PTA enables the integration of these entities in its database. However it should be noted here that the standard lists cannot cover the most intimate aspects of customized solutions and the specifics of complex systems that integrate several technologies. At best, compliance with standards provides only the baseline security and additional analysis of application-specific risks is required.

PTA may also serve as the foundation of Information Security Management System - a concept that is promoted by modern standards. Its growing database and statistics may be used as an evidence of the organization’s efforts for constantly improving the process of threat and vulnerability analysis.














Your IP address will be sent with this e-mail

From e-mail to e-mail