Danny Wong, profile picture
Uploaded byDanny Wong
PPTX, PDF8,646 views

7 Steps to Threat Modeling

The document outlines a seven-step approach to threat modeling, focusing on identifying assets, creating architectural overviews, decomposing applications, identifying and documenting threats, rating them, and generating work item reports. It utilizes the STRIDE model for threat identification and the DREAD model for threat rating, emphasizing the importance of countermeasures and prioritizing threats for mitigation. The document also includes examples of potential threats and countermeasures, such as SQL injection and credential monitoring.

Embed presentation

Downloaded 280 times
7 Steps to Threat Modeling Danny Wong au.linkedin.com/in/chinwhei/
7 Step Approach 1. Identify Assets 2. Create an Architecture Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats 7. Generating a Work Item Report
1. Identify Assets Q: What is your most Valued Digital Assets? Intellectual Property Web Portals Databases
2. Create an Architecture Overview Q: What people/process/technology components are used to consume the digital asset?
3. Decompose the Application Q: How many methods are there to consume the digital asset? Identify trust boundaries. Identify data flow. Identify entry points. Identify privileged code. Document the security profile.
4. Identify the Threats (STRIDE Model) Q: For each method of access, what are the possible threats? Spoofing •An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password. Tampering •Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet. Repudiation •Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise— for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Nonrepudiation refers to the ability of a system to counter repudiation threats. Information Disclosure •Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it— for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers. Denial of Service •Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability. Elevation of Privilege •In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed.
5. Document the Threats Q: For each Threat, list the attack technique and countermeasure required. Threat Description Attacker obtains authentication credentials by monitoring the network Threat target Web application user authentication process Risk High Attack techniques Use of network monitoring software Countermeasures Use SSL to provide encrypted channel Threat Description Injection of SQL commands Threat target Data access component Risk High Attack techniques Attacker appends SQL commands to user name, which is used to form a SQL query Countermeasures Use a regular expression to validate the user name, and use a stored procedure that uses parameters to access the database.
6. Rate the Threats (DREAD Model) Q: For each Threat Documented, Rate the Threat against the impact to the Organization. Rating High (3) Medium (2) Low (1) D Damage potential The attacker can subvert the security system Leaking sensitive information Leaking trivial information R Reproducibility The attack can be reproduced every time and does not require a timing window. The attack can be reproduced, but only with a timing window and a particular race situation. The attack is very difficult to reproduce, even with knowledge of the security hole. E Exploitability A novice programmer could make the attack in a short time. A skilled programmer could make the attack, then repeat the steps. The attack requires an extremely skilled person and in-depth knowledge every time to exploit. A Affected users All users, default configuration, key customers Some users, non-default configuration Very small percentage of users, obscure feature; affects anonymous users D Discoverability The vulnerability is found in the most commonly used feature and is very noticeable. The vulnerability is in a seldom-used part of the product, and only a few users should come across it. The bug is obscure, and it is unlikely that users will work out damage potential. No Threat D R E A D Total Rating 1 Attacker obtains authentication credentials by monitoring the network. 3 3 2 2 2 12 High 2 SQL commands injected into application. 3 3 3 3 2 14 High
7. Generating a Work Item Report. (Mitigate) Q: For each Threat Rated, Prioritize and Fix the Threat then restart the Threat Modeling. Threat Description Attacker obtains authentication credentials by monitoring the network Attack techniques Use of network monitoring software Countermeasures Use SSL to provide encrypted channel Status SSL Implemented Threat Description Injection of SQL commands Attack techniques Attacker appends SQL commands to user name, which is used to form a SQL query Countermeasures Use a regular expression to validate the user name, and use a stored procedure that uses parameters to access the database. Status Code Updated
References Threat Modeling http://msdn.microsoft.com/en- us/library/ff648644.aspx#c03618429_012 Threat Modeling Tool http://www.microsoft.com/en- us/download/details.aspx?id=42518

More Related Content

PDF
Threat Modelling
byn|u - The Open Security Community
 
PDF
Threat Modeling Using STRIDE
byGirindro Pringgo Digdo
 
PPTX
Threat Modeling And Analysis
byLalit Kale
 
PPTX
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
PPT
Application Threat Modeling
byMarco Morana
 
PPTX
Threat modelling with_sample_application
byUmut IŞIK
 
PDF
Threat Modeling Everything
byAnne Oikarinen
 
PPTX
Threat Modeling In 2021
byAdam Shostack
 
Threat Modelling
byn|u - The Open Security Community
 
Threat Modeling Using STRIDE
byGirindro Pringgo Digdo
 
Threat Modeling And Analysis
byLalit Kale
 
Security Training: #3 Threat Modelling - Practices and Tools
byYulian Slobodyan
 
Application Threat Modeling
byMarco Morana
 
Threat modelling with_sample_application
byUmut IŞIK
 
Threat Modeling Everything
byAnne Oikarinen
 
Threat Modeling In 2021
byAdam Shostack
 

What's hot

PPTX
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
PPT
Application Security
byReggie Niccolo Santos
 
PDF
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
PPTX
Cyber Threat Modeling
byEC-Council
 
PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
PPTX
Application Security Architecture and Threat Modelling
byPriyanka Aash
 
PPTX
Secure coding practices
byScott Hurrey
 
PDF
Security in the Software Development Life Cycle (SDLC)
byFrances Coronel
 
PPTX
Security testing fundamentals
byCygnet Infotech
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
PDF
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
PDF
Zero Trust Model Presentation
byGowdhaman Jothilingam
 
PDF
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
PDF
Introduction to Web Application Penetration Testing
byNetsparker
 
PDF
Threat Hunting
bySplunk
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PPTX
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
PDF
Vulnerability Management
byasherad
 
PDF
Cyber Threat Intelligence
bymohamed nasri
 
PPTX
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 
Vulnerability assessment and penetration testing
byAbu Sadat Mohammed Yasin
 
Application Security
byReggie Niccolo Santos
 
Application Security | Application Security Tutorial | Cyber Security Certifi...
byEdureka!
 
Cyber Threat Modeling
byEC-Council
 
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
Application Security Architecture and Threat Modelling
byPriyanka Aash
 
Secure coding practices
byScott Hurrey
 
Security in the Software Development Life Cycle (SDLC)
byFrances Coronel
 
Security testing fundamentals
byCygnet Infotech
 
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
Secure Coding and Threat Modeling
byMiriam Celi, CISSP, GISP, MSCS, MBA
 
Zero Trust Model Presentation
byGowdhaman Jothilingam
 
Threat Modeling to Reduce Software Security Risk
bySecurity Innovation
 
Introduction to Web Application Penetration Testing
byNetsparker
 
Threat Hunting
bySplunk
 
OWASP Top 10 2021 What's New
byMichael Furman
 
Threat modelling(system + enterprise)
byabhimanyubhogwan
 
Vulnerability Management
byasherad
 
Cyber Threat Intelligence
bymohamed nasri
 
Understanding Application Threat Modelling & Architecture
byPriyanka Aash
 

Viewers also liked

PDF
Real World Application Threat Modelling By Example
byNCC Group
 
PPTX
Threat modeling web application: a case study
byAntonio Fontes
 
PPT
STRIDE And DREAD
bychuckbt
 
PPT
Web Application Security
byAbdul Wahid
 
PPTX
Evaluation of mininet WiFi integration via ns-3
byFarzaneh Pakzad
 
PPTX
Threat Modeling - Writing Secure Code
byCaleb Jenkins
 
PPTX
Making threat modeling so easy
byDinis Cruz
 
PPTX
Everything you should already know about MS-SQL post-exploitation
bySource Conference
 
PDF
Threat Modeling: Best Practices
bySource Conference
 
PDF
SC conference - Building AppSec Teams
byDinis Cruz
 
PPTX
Risk Analysis Of Banking Malware Attacks
byMarco Morana
 
PDF
SecDevOps Risk Workflow - v0.6
byDinis Cruz
 
PPT
Lecture 6 web security
byrajakhurram
 
PPTX
Web Security
byADIEFEH
 
PDF
The Internet of Things: Privacy and Security Issues
byEuropean Union Agency for Network and Information Security (ENISA)
 
PDF
Threat Modeling for the Internet of Things
byEric Vétillard
 
PDF
2013 05 BEA - ’Mobile is eating the World’
byBenedict Evans
 
PDF
Security in the Internet of Things
byForgeRock
 
PDF
Threat modeling with architectural risk patterns
byStephen de Vries
 
PDF
Internet of Things - Privacy and Security issues
byPierluigi Paganini
 
Real World Application Threat Modelling By Example
byNCC Group
 
Threat modeling web application: a case study
byAntonio Fontes
 
STRIDE And DREAD
bychuckbt
 
Web Application Security
byAbdul Wahid
 
Evaluation of mininet WiFi integration via ns-3
byFarzaneh Pakzad
 
Threat Modeling - Writing Secure Code
byCaleb Jenkins
 
Making threat modeling so easy
byDinis Cruz
 
Everything you should already know about MS-SQL post-exploitation
bySource Conference
 
Threat Modeling: Best Practices
bySource Conference
 
SC conference - Building AppSec Teams
byDinis Cruz
 
Risk Analysis Of Banking Malware Attacks
byMarco Morana
 
SecDevOps Risk Workflow - v0.6
byDinis Cruz
 
Lecture 6 web security
byrajakhurram
 
Web Security
byADIEFEH
 
The Internet of Things: Privacy and Security Issues
byEuropean Union Agency for Network and Information Security (ENISA)
 
Threat Modeling for the Internet of Things
byEric Vétillard
 
2013 05 BEA - ’Mobile is eating the World’
byBenedict Evans
 
Security in the Internet of Things
byForgeRock
 
Threat modeling with architectural risk patterns
byStephen de Vries
 
Internet of Things - Privacy and Security issues
byPierluigi Paganini
 

Similar to 7 Steps to Threat Modeling

PDF
Threat Modeling for Dummies
byAdam Englander
 
PDF
Threat Modeling for Dummies - Cascadia PHP 2018
byAdam Englander
 
PDF
Null bachav
byNaga Venkata Sunil Alamuri
 
PDF
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
PPTX
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
PPTX
Architecting for Security Resilience
byJoel Aleburu
 
PDF
Session2-Application Threat Modeling
byzakieh alizadeh
 
PPTX
Threat Modeling Web Applications
byNadia BENCHIKHA
 
PDF
Application Threat Modeling
byPriyanka Aash
 
PPTX
Cyber Week 8.pptx.......................
bysalmannawaz6566504
 
PDF
Scalable threat modelling with risk patterns
byStephen de Vries
 
PPTX
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
byDharmalingam Ganesan
 
PPTX
Chapter 3 security part i auditing operating systems and networks
byjayussuryawan
 
PPTX
download-20171010121559download-20171010121559.pptx
by2024proj005
 
PDF
Unit 1 Notes Revision.pdftttttttttttttttttttt
bysriram37357
 
PPTX
Chapter 3 security part i auditing operating systems and networks
byTommy Zul Hidayat
 
PPTX
Improving web application security, part i
byKangkan Goswami
 
PPTX
Improving web application security, part i
byKangkan Goswami
 
PPTX
Secure Iowa Oct 2016
byLarry Slobodzian
 
PDF
System Security Beyond the Libraries
byEoin Woods
 
Threat Modeling for Dummies
byAdam Englander
 
Threat Modeling for Dummies - Cascadia PHP 2018
byAdam Englander
 
Null bachav
byNaga Venkata Sunil Alamuri
 
Threat Modeling workshop by Robert Hurlbut
byDevSecCon
 
Threat Modeling - Locking the Door to Vulnerabilities
bySecurity Innovation
 
Architecting for Security Resilience
byJoel Aleburu
 
Session2-Application Threat Modeling
byzakieh alizadeh
 
Threat Modeling Web Applications
byNadia BENCHIKHA
 
Application Threat Modeling
byPriyanka Aash
 
Cyber Week 8.pptx.......................
bysalmannawaz6566504
 
Scalable threat modelling with risk patterns
byStephen de Vries
 
Threat Modeling: Applied on a Publish-Subscribe Architectural Style
byDharmalingam Ganesan
 
Chapter 3 security part i auditing operating systems and networks
byjayussuryawan
 
download-20171010121559download-20171010121559.pptx
by2024proj005
 
Unit 1 Notes Revision.pdftttttttttttttttttttt
bysriram37357
 
Chapter 3 security part i auditing operating systems and networks
byTommy Zul Hidayat
 
Improving web application security, part i
byKangkan Goswami
 
Improving web application security, part i
byKangkan Goswami
 
Secure Iowa Oct 2016
byLarry Slobodzian
 
System Security Beyond the Libraries
byEoin Woods
 

More from Danny Wong

PPTX
ITIL Mind Map v1.0 - ITIL Service Design Processes
byDanny Wong
 
PPTX
ITIL Mind Map v1.0 - ITIL Service Design
byDanny Wong
 
PPTX
ITIL Mind Map v1.0 - ITIL Service Strategy Processes
byDanny Wong
 
PPTX
ITIL Mind Map v1.0 - ITIL Service Strategy
byDanny Wong
 
PPTX
ITIL Mind Map v1.0 - ITIL Service Management As A Practice
byDanny Wong
 
PPTX
Best Practices for Securing Active Directory v2.0
byDanny Wong
 
PPTX
Project Management Professional Framework Part 1
byDanny Wong
 
PPSX
How to create a validation list in excel
byDanny Wong
 
ITIL Mind Map v1.0 - ITIL Service Design Processes
byDanny Wong
 
ITIL Mind Map v1.0 - ITIL Service Design
byDanny Wong
 
ITIL Mind Map v1.0 - ITIL Service Strategy Processes
byDanny Wong
 
ITIL Mind Map v1.0 - ITIL Service Strategy
byDanny Wong
 
ITIL Mind Map v1.0 - ITIL Service Management As A Practice
byDanny Wong
 
Best Practices for Securing Active Directory v2.0
byDanny Wong
 
Project Management Professional Framework Part 1
byDanny Wong
 
How to create a validation list in excel
byDanny Wong
 

Recently uploaded

PPTX
Scrape Grocery App Data from BigBasket, Zepto, and Blinkit.pptx
byMobile App Scraping
 
PPTX
Streamline Your Production Process with ERP Solutions
byNestorBird
 
PDF
vMix Overview & Key Features Easily Produce, Record and Live Stream
byIGM Soraing
 
PPTX
Python_Lecture12_SearchingandSorting.pptx
byamanaydana
 
PPTX
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
PPT
242017752-SAP-Asset-Accoungting-Training.ppt
byssuserad3af4
 
PPTX
Communicating Software Architecture using Arc42 v1.1
byAshraf Fouad
 
PPTX
Mobile App Accessibility Standards Every Developer Should Know.pptx
byjanhammer1014
 
PDF
The future of software delivery is agentic
byMaxim Salnikov
 
PPTX
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
PPTX
Tableau Alternative Offers the Best Data Visualization Experience.pptx
byVarsha Nayak
 
DOCX
Unit 1 - Machine Learning Basics AUCE.docx
byMOSIUOA WESI
 
PDF
Comprehensive Windows protection with SiyanoAV Total Security — fast, smart, ...
byyogeshchauhanoffice
 
PDF
How to Make Your AI Reliable: Comprehensive Guide to Testing AI Applications ...
byQATestLab Quality is a rule
 
PDF
How to Pick the Perfect POS System for Your Hotel.pdf
byaxisrooms1
 
PPTX
Enhance Workplace Safety with EHA Good Catch System
byEHA Soft Solutions
 
PDF
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 
PDF
AOX Apps - Mobile App Development Company New York
byAOX APPS
 
PDF
Enterprise Reporting Made Easy for Actionable Project Insights.pdf
byOrangescrum
 
PDF
How to do Portable Applicance Testing: example
byMaheswararajJ
 
Scrape Grocery App Data from BigBasket, Zepto, and Blinkit.pptx
byMobile App Scraping
 
Streamline Your Production Process with ERP Solutions
byNestorBird
 
vMix Overview & Key Features Easily Produce, Record and Live Stream
byIGM Soraing
 
Python_Lecture12_SearchingandSorting.pptx
byamanaydana
 
Wired_AnalyticsTraineeship_13112025_clean.pptx
bySimonedeGijt
 
242017752-SAP-Asset-Accoungting-Training.ppt
byssuserad3af4
 
Communicating Software Architecture using Arc42 v1.1
byAshraf Fouad
 
Mobile App Accessibility Standards Every Developer Should Know.pptx
byjanhammer1014
 
The future of software delivery is agentic
byMaxim Salnikov
 
Attacking and Defending AI by Adity Roy and Nikita Biradar
byCysinfo Cyber Security Community
 
Tableau Alternative Offers the Best Data Visualization Experience.pptx
byVarsha Nayak
 
Unit 1 - Machine Learning Basics AUCE.docx
byMOSIUOA WESI
 
Comprehensive Windows protection with SiyanoAV Total Security — fast, smart, ...
byyogeshchauhanoffice
 
How to Make Your AI Reliable: Comprehensive Guide to Testing AI Applications ...
byQATestLab Quality is a rule
 
How to Pick the Perfect POS System for Your Hotel.pdf
byaxisrooms1
 
Enhance Workplace Safety with EHA Good Catch System
byEHA Soft Solutions
 
6 Hotel Booking Trends You Can’t Ignore in 2025.pdf
byHotelogix
 
AOX Apps - Mobile App Development Company New York
byAOX APPS
 
Enterprise Reporting Made Easy for Actionable Project Insights.pdf
byOrangescrum
 
How to do Portable Applicance Testing: example
byMaheswararajJ
 
In this document
Powered by AI

Introduction to the 7 steps involved in threat modeling by Danny Wong.

Overview of the 7 steps: Identify Assets, Architecture Overview, Decompose Application, Identify Threats, Document Threats, Rate Threats, Generate Report.

First step discusses valuing digital assets like Intellectual Property, Web Portals, Databases.

Creating an overview of how people, processes, and technology components interact with digital assets.

Breaking down how digital assets are accessed, identifying trust boundaries, data flow, entry points, and privileged code.

Using the STRIDE model to evaluate threats like Spoofing, Tampering, Repudiation, Information Disclosure, DoS, and Elevation of Privilege.

Documenting threats with description, risk rating, attack techniques, and corresponding countermeasures for security improvement.

Using the DREAD model to categorize and rate threats based on Damage, Reproducibility, Exploitability, Affected Users, Discoverability.

Final step involves generating a report to prioritize and fix rated threats, with updates on countermeasures implemented.

References for further learning on threat modeling and tools available for implementation.

7 Steps to Threat Modeling

  • 1.
    7 Steps toThreat Modeling Danny Wong au.linkedin.com/in/chinwhei/
  • 2.
    7 Step Approach 1.Identify Assets 2. Create an Architecture Overview 3. Decompose the Application 4. Identify the Threats 5. Document the Threats 6. Rate the Threats 7. Generating a Work Item Report
  • 3.
    1. Identify Assets Q:What is your most Valued Digital Assets? Intellectual Property Web Portals Databases
  • 4.
    2. Create anArchitecture Overview Q: What people/process/technology components are used to consume the digital asset?
  • 5.
    3. Decompose theApplication Q: How many methods are there to consume the digital asset? Identify trust boundaries. Identify data flow. Identify entry points. Identify privileged code. Document the security profile.
  • 6.
    4. Identify theThreats (STRIDE Model) Q: For each method of access, what are the possible threats? Spoofing •An example of identity spoofing is illegally accessing and then using another user's authentication information, such as username and password. Tampering •Data tampering involves the malicious modification of data. Examples include unauthorized changes made to persistent data, such as that held in a database, and the alteration of data as it flows between two computers over an open network, such as the Internet. Repudiation •Repudiation threats are associated with users who deny performing an action without other parties having any way to prove otherwise— for example, a user performs an illegal operation in a system that lacks the ability to trace the prohibited operations. Nonrepudiation refers to the ability of a system to counter repudiation threats. Information Disclosure •Information disclosure threats involve the exposure of information to individuals who are not supposed to have access to it— for example, the ability of users to read a file that they were not granted access to, or the ability of an intruder to read data in transit between two computers. Denial of Service •Denial of service (DoS) attacks deny service to valid users—for example, by making a Web server temporarily unavailable or unusable. You must protect against certain types of DoS threats simply to improve system availability and reliability. Elevation of Privilege •In this type of threat, an unprivileged user gains privileged access and thereby has sufficient access to compromise or destroy the entire system. Elevation of privilege threats include those situations in which an attacker has effectively penetrated all system defenses and become part of the trusted system itself, a dangerous situation indeed.
  • 7.
    5. Document theThreats Q: For each Threat, list the attack technique and countermeasure required. Threat Description Attacker obtains authentication credentials by monitoring the network Threat target Web application user authentication process Risk High Attack techniques Use of network monitoring software Countermeasures Use SSL to provide encrypted channel Threat Description Injection of SQL commands Threat target Data access component Risk High Attack techniques Attacker appends SQL commands to user name, which is used to form a SQL query Countermeasures Use a regular expression to validate the user name, and use a stored procedure that uses parameters to access the database.
  • 8.
    6. Rate theThreats (DREAD Model) Q: For each Threat Documented, Rate the Threat against the impact to the Organization. Rating High (3) Medium (2) Low (1) D Damage potential The attacker can subvert the security system Leaking sensitive information Leaking trivial information R Reproducibility The attack can be reproduced every time and does not require a timing window. The attack can be reproduced, but only with a timing window and a particular race situation. The attack is very difficult to reproduce, even with knowledge of the security hole. E Exploitability A novice programmer could make the attack in a short time. A skilled programmer could make the attack, then repeat the steps. The attack requires an extremely skilled person and in-depth knowledge every time to exploit. A Affected users All users, default configuration, key customers Some users, non-default configuration Very small percentage of users, obscure feature; affects anonymous users D Discoverability The vulnerability is found in the most commonly used feature and is very noticeable. The vulnerability is in a seldom-used part of the product, and only a few users should come across it. The bug is obscure, and it is unlikely that users will work out damage potential. No Threat D R E A D Total Rating 1 Attacker obtains authentication credentials by monitoring the network. 3 3 2 2 2 12 High 2 SQL commands injected into application. 3 3 3 3 2 14 High
  • 9.
    7. Generating aWork Item Report. (Mitigate) Q: For each Threat Rated, Prioritize and Fix the Threat then restart the Threat Modeling. Threat Description Attacker obtains authentication credentials by monitoring the network Attack techniques Use of network monitoring software Countermeasures Use SSL to provide encrypted channel Status SSL Implemented Threat Description Injection of SQL commands Attack techniques Attacker appends SQL commands to user name, which is used to form a SQL query Countermeasures Use a regular expression to validate the user name, and use a stored procedure that uses parameters to access the database. Status Code Updated
  • 10.
    References Threat Modeling http://msdn.microsoft.com/en- us/library/ff648644.aspx#c03618429_012 Threat ModelingTool http://www.microsoft.com/en- us/download/details.aspx?id=42518