he process of securing applications begins with understanding the threats against your applications. Portions of this article are excerpted from Writing Secure Code, 2nd Edition
, available from Microsoft Press.
A member of the press asked me this question a few days after the Windows Security Push in February and March of 2002: "What was the most important skill your team taught developers, testers, and designers?" Without hesitating, I replied that we taught developers to trace every byte of data as it flows through their code and to question all assumptions about the data. For testers, it was data mutation. For designers it was analyzing threats. In fact, during the Windows Security Push (and all pushes that followed at Microsoft), we found that the most important aspect of the software design process, from a security viewpoint, is threat modeling.
Secure Design Through Threat Modeling
The overriding driver of threat modeling is that you cannot build secure systems until you evaluate the threats to the application with the goal of reducing the overall risk. The good news is that threat modeling is simple, but it does require significant time investment to get right. For the lazy designer, threat modeling can form the basis of the security section of the design specifications!
|You cannot build secure systems until you understand your threats|
Threat modeling also offers other benefits, for example:
- Threat models help you understand your application better. If you spend time analyzing the makeup of your application in a relatively structured manner, you cannot help but learn how your application works! I've lost count of how many times I've heard the phrase "Oh, so that's how it works!" during a threat-modeling session!
- Threat models help you find bugs. All groups I've worked with track how bugs are found, and lately many have added a new value to the "How Found" field of their bug databases: Threat Model. If you think about it, it makes sense. You can find bugs by looking at code, and you can find bugs by testing the application. In addition, you can find bugs by critically reviewing the application's design. In fact, we've discovered that about 50 percent of the bugs found are through threat analysis, with the other 50 percent comprising bugs found during test and code analysis.
- You'll also find complex design bugs that are not likely to be found in any other way. You will discover multi-step security bugs where several small failures combine to become one large disaster by using threat analysis techniques.