Threat modelling is a structured process for identifying potential security threats and vulnerabilities, assessing the severity of each potential impact, and prioritizing methods to reduce or mitigate those threats in the environment. By performing threat modelling activities against a system design, proactive architectural decisions can be made that help mitigate threats in early stages of development. Threat modelling performed in the initial stages of the development lifecycle enables architects to identify and mitigate potential security threats and vulnerabilities early when they are relatively easy and cost-effective to resolve. STRIDE is a model of threats implemented to help consider and identify potential threats in the environment. The model aims to ensure that an application meets the security directives of the CIA triad (confidentiality, integrity, and availability), alongside of authentication, authorization, and non-repudiation. Therefore, IGRC2 will perform the threat modelling exercise using the STRIDE threat modelling technique. The Threat Modelling exercise will involve a workshop with key system stakeholders, where the objective will be to understand the workings of the environment, components, data flows and trust boundaries. The review will also be guided by industry research and publicly available documentation. The resulting report will include a list of identified threats, an analysis of their likelihood and impact to the environment and recommended mitigation strategies.
Goal: A meeting with the relevant key stake holders to discuss the plan, scope, and requirements of the exercise.
Scoping: Identify the scope and architecture type such as Mobile/Web Application, Cloud System, Network infrastructure, Embedded system, etc.
Information Gathering: Understand the environment by reviewing documentation shared which may include but not limited to design, architecture, procedures, policies, and other previous assets such as risk register, risk framework, remediation work, etc.
Decomposition of different components: Based on the information gathering, organize workshops with relevant stake holders to decompose the architecture into its components, data flow, application and business processes and trust boundaries.
Threat Modeling Methodology: STRIDE Threat Model as well industry research and intelligence will be used for the Threat Modelling exercise by IGRC2. STRIDE is a threat modelling approach
For a red team assessment to be successful organizational buy-in is essential from senior management from the very start across departments such as IT, HR and legal.
A red team assessment is not just about highlighting
the company’s weaknesses but is an attempt to think outside the box when it comes to the security of the business. It is a clear effort from the organization to understand and continuously improve the security posture of the
business into the future.
Thick client penetration testing encompasses both client- and server-side processing and frequently makes use of proprietary communication protocols.
Read MoreA source code review is a security service that examines the source code of an application manually or using scanners. The purpose of this examination is to identify any existing security flaws or vulnerabilities.
Read MoreAn API penetration testing is a security service that simulates an external attacker or malicious insider specifically targeting a particular set of API endpoints and attempting to breach security in order to compromise the confidentiality, integrity, or availability of an organization's resources.
Read More