|
|
 |
 |
 |
 |
Activity:
Develop Threat Model (CMMI Level 3 : TS 2.1 )
 |
|
Participating Roles
Responsible:
Architect
Developer
Accountable:
Architect
Consult:
Business Analyst |
A threat model documents the known security threats and describes how to address them. Threat modeling is part of a structured approach to identifying and rating threats most likely to affect the system. With a solid threat model, threats are addressed in order of greatest risk with appropriate countermeasures. Build a threat model early and then update it as the application and architecture evolves.
Entry Criteria
When:
- After architecture has been selected for current iteration.
Dependencies:
- Application Diagram: Must be approved for current iteration.
- System Diagram: Must be approved for current iteration.
- Logical Datacenter Diagram: Must be approved for current iteration.
Sub-Activities
|
|
1 |
Understand the Adversary's View |
- Identify the entry points to the system. Entry points are locations where data and control transfers between systems. Utilize the logical datacenter diagram, system diagrams, and associated application diagrams to identify areas where the disfavored persona or adversary can attack the system. Look for transfer points such as Web service interfaces, open sockets, remote procedure calls, or data being read from files.
- List the assets of the system. List the abstract or concrete resources that a system must protect from use by an adversary in the asset list. These resources can be tangible such as valued data or abstract such as data consistency. Assets are the targets for threats.
- Define trust areas. Using the logical datacenter diagram, create zones that represent the boundaries of where the system is secure. Characterize the zones based on privilege or credential level assigned. A trust level is the privilege that an external entity should have to legitimately use an entry point or functionality at an entry point.
 |
|
2 |
Determine Threats |
- For each asset, identify the scenarios that have been implemented so far that relate to that asset. Utilize these scenarios to bound the discussion of how the system will or will not be used.
- For each entry point, determine how an adversary might try to affect an asset. Utilize the threat template to document these threats. Utilize the STRIDE classification system to predict what the adversary would do and what his goals would be. The STRIDE model classifies threats in Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, and Elevation of privilege. A threat can belong to multiple categories.
- Analyze the threats to determine which ones are mitigated. Unmitigated threats will become vulnerabilities or secure type quality of service requirements.
- Capture the assets, threats, and methods to mitigate the threats in a threat model document and upload the document to the project portal.
|
|
3 |
Review Threats |
- Optional
- Ensure that all parts of the system have been reviewed and that all currently known threat categories have been considered.
- Review new, changed, or reactivated threats with the appropriate business analyst. Discuss each threat in the context of the scenarios. Describe possible mitigation strategies.
- Threats evolve over time. Ensure the threat model is updated during each iteration.
|
Exit Criteria
 |
Threats to the features under development are identified, documented, and rated in the threat model document. | |
 |
 |
 |
 |
(C) 2005 Microsoft Corporation. All rights reserved.
MSF for CMMI Process Improvement: Build 050707 |
|
Program Management
