Threat referencing as a tool for WebApp security
The initial step in securing your Web Application is to identify your risks; and there are plenty. The usual familiar tool for that is threat modeling. There are many ways to employ threat modeling, but the surprisingly common practice is basically to map all potential risks and stop there.
Threat modeling can be an exercise in futility if undertaken in traditional isolation. Use it as a part of a more focused Threat Referencing process and you will find yourself not only isolating the real threats but being able to reduce your security costs and increase effective Web Application protection.
Threat referencing, or B.A.T Man (Business Aligned Threat Management) as we fondly call it at NOX90, is a process that takes your regular threat modeling process and makes it relevant to your business. If you are about to embark upon securing your web application, then this is the crucial first step for you.
Here is how it works:
1. Start off with the all-familiar threat modeling exercise, listing all the security threats to your Web application.
2. Now that you have your security threats mapped out, look at your existing controls, security measures and mitigating factors. Use those to reduce your threats list to those risks that your controls do not mitigate already. For example, say you are using CNI configuration to encrypt in transit communication between pods…than here is not your threat.
3. Identify your assets and rate them in terms of being critical to the business. What must be protected before others. For example, a database with PII is probably critical in terms of compliance.
4. Look at your industry and observe the nature and potency of most successful attacks. What is their nature? You will find that in similar businesses to yours, the “effective” common attack vectors repeat themselves. For example, in gambling companies you will experience lots of DDOS attacks and VIP player list data breaches.
The result of this exercise is a much smaller list of potential threats, but one that articulates the most likely attack vectors that relevant to your company. You can now focus on mitigating the most likely threat; the one that is likely to get you at night because of your type of industry and because of your security posture. This saves money and time and helps you sleep better at night.
Nox90 is a Professional services company serving Enterprises. We specialize in DevOps code review and architecture analysis, Kubernetes security, Cloud security.